- Government of Kazakhstan asks its citizens to install digital certificate
- The request comes under the pretext of improving the nation’s security
- Installing the certificate allows the government to intercept and decrypt traffic of any website it wishes
- Citizens must choose between having their web traffic intercepted or face being blocked from accessing the web’s most popular sites such as Google and Facebook
- This tactic of mass surveillance will have many unintended negative consequences that will be felt for years to come
An increasing number of businesses are legitimately intercepting encrypted traffic on their networks. It’s pretty much a necessity today. As the amount of encrypted web traffic surpasses 90%, it’s essential to inspect all traffic to ensure that Joe in Marketing isn’t accidentally downloading malware onto his corporate laptop during a lunch break.1 While many organisations will allow some encrypted traffic to bypass security filters (such as employees’ visits to banking and healthcare sites) the risk of not intercepting web browsing traffic is just too high since malware often uses encryption to evade security controls. Without decrypting web traffic, products such as anti-virus scanners and data leakage prevention (DLP) tools are all but useless since each one alone is often unable to perform decryption. Crucially, this interception of encrypted traffic by businesses is not only contractually permitted, it’s easy for them to conduct since they own the assets and the working time of the employee.
Whether a cybercriminal is trying to steal data or a national government is attempting to perform mass surveillance, without direct control over end user devices (such as laptops and mobile phones), it’s much more difficult to intercept encrypted traffic. To be able to legitimately intercept encrypted traffic, is it essential to install a trusted digital certificate on to the device in question.
For years the nation of Kazakhstan has asked Mozilla to add the nations root certificate to the list of other root certificates2 in their popular Firefox web browser. Fearing government overreach and misuse, Mozilla have always declined. And for good reason. There are many examples when root certificates have been abused allowing potentially anyone to spy on the encrypted web traffic of others.3, 4
Last week, however, Kazakhstan gave up asking nicely and instead simply instructed its citizens to manually install the national security certificate which, in a flash of social engineering inspiration, is simply called “Security Certificate.”
You may be surprised to see the comforting symbol of the green padlock and be asking yourself why no security warnings were shown. Browsers are constantly on the lookout for rogue certificates and malicious interception. However, when someone installs a root certificate, they are explicitly telling their browser that they trust any certificate that this new root certificate then subsequently signs. So, the browser has no reason to distrust this certificate for www.google.com.
What Happened
First spotted on July 18, 2019, some citizens in Kazakhstan began receiving notifications from their ISPs that they were required to install a security certificate or face interruption to their web traffic. European telecommunications operator Tele2 sent SMS messages to its customers1 (see Figure 2) and also created a web page to explain how to install the “safety certificate.”