On July 17th, 2019, the government of Kazakhstan enacted a new cybersecurity measure that aims to spy on its citizens\u2019 internet traffic. Specifically, the Kazakh government ordered all of the internet service providers (ISPs) to force their customers to install a government-issued root certificate by Qaznet Trust Network on all of their internet accessing devices. If installed, this MITM cert allows the government to intercept, decrypt, analyze, then re-encrypt all browser encrypted HTTPS traffic in a country wide man-in-the-middle (MITM) attack. Since Wednesday, Kazakh internet users have been redirected to instructional pages asking them to install the new certificate. Forcing all of Kazakhstan\u2019s internet through one government issued certificate is a gargantuan privacy issue, but it is also a security issue. Any hacker that gets control of the Quaznet domain will be able to view the supposedly encrypted personal information from Kazakh internet users. Passwords, usernames, credit card information, all of it would be available unencrypted in such a scenario.<\/p>\n
To their credit, a Kazakh official clarified<\/a> on July 19th, 2019 that the installation of the certificate was voluntary and not a prerequisite to accessing the internet.<\/p>\n Officials from the Ministry of Digital Development, Innovation and Aerospace stated<\/a> that the new rule was \u201caimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats,\u201d but that clearly doesn\u2019t seem to be the case. Messaging on the MITM cert install page by one Kazakh service provider, Kcell, specified what some of those \u201cother types of cyber threats\u201d just might be:<\/p>\n \u201cA security certificate is a set of electronic digital symbols used to pass traffic that contains protocols that support encryption. Thus, it will allow Kazakhstani Internet users to be protected from hacker attacks and viewing illegal content.\u201d<\/p><\/blockquote>\n The notice-to-be-mitm also specifies that Linux users are exempt from downloading this rogue cert:<\/p>\n \u201c[\u2026] the installation of a security certificate must be performed from each device that will be used to access the Internet (mobile phones and tablets based on iOS \/ Android, personal computers and laptops based on Windows \/ MacOS).\u201d<\/p><\/blockquote>\n The privacy and cryptography community online has responded with a particular uproar. MITM attacks by ISPs<\/a> are bad enough when it\u2019s done by the ISP for economic gain reasons. When it\u2019s ordered by a government which overseas millions of citizens, it is a look into the future dystopia. If Kazakhstan succeeds in this, the country will join North Korea in a short list of countries that have more of an intranet than an internet. The real fear, which Dr. Green articulates concisely, is the thought of tech-illiterate<\/a> politicians in democratic governments around the world salivating at the mouth while considering Kazakhstan\u2019s new internet policy as a good one.<\/p>\n This is the future all those cypherpunks warned us about. Let\u2019s hope the West sees the danger, and doesn\u2019t look on with admiration.<\/p>\n \u2014 Matthew Green (@matthew_d_green) July 19, 2019<\/a><\/p><\/blockquote>\n\n