Kazakhstan ISPs must intercept https traffic by government order

Citizens in Kazakhstan who want to use the internet are told that they must first install a root SSL certificate. With that certificate, providers can intercept all https traffic, at the behest of the government.

Internet service providers in Kazakhstan have been ordered by the country’s government to force users to install a government root certificate in their browsers if their customers want to access the Internet. The providers redirect internet users to pages with instructions on how to install the ‘Qaznet Trust Network’ certificate and they send text messages to customers about the requirements.

Once the root certificate is installed and trusted, the providers can decrypt SSL/tls traffic like a man in the middle while browsers declare the connection safe and encrypted. This gives the government insight into the traffic that would be needed to ‘improve the protection of citizens, governments and companies against attacks, internet fraud and other threats’.

At the end of 2015, the Kazakh government already wanted to implement a similar plan, ZDNet writes. Due to resistance from providers, banks and other countries, the government decided against it. Mozilla also refused to cooperate with a request to add a root certificate to Firefox.

Even now there is resistance. Several users are raising the issue with Mozilla requesting that the Qaznet Trust Network certificate authority be blacklisted. This would mean that the browser in Kazakhstan will hardly be usable anymore. Proponents hope that other browsers will follow. Opponents of this plan point out that the government could fork an open source browser project like Chromium with the man-in-the-middle certificate integrated. There are also voices calling for a warning to users that browsing sessions are conducted via a non-standard certificate, with possible interception as a result.