The government of Kazakhstan forcefully decrypts part of internet traffic

Home

On July 2019 the government of Kazakhstan started enforcing a policy where web browser users are forced to install a specific root certificate on their computers. Due to the nature of browser based encryption (SLL/TLS/https) this enables the government to decrypt the traffic.

According to a study by the lab Censored Planet from the University of Michigan (https://censoredplanet.org/kazakhstan) the decryption targets include e.g. Gmail, Google, Facebook, Messenger, mail.ru, translate.google.com, Instagram and Youtube. "With these fake certificates, the attacker can impersonate any website, modifying its content or recording exactly what users do or post on the site." When a selected user tries to connect to a selected server the connection is not allowed by the internet service provider unless the government issued certificate is being used.

This should be a warning to those who rely solely on web browser or SSL/TLS based protection. It should also be noted that the decrypted traffic can also be changed and then re-encrypted and forwarded to the receiver by the government. From the point of view of email encryption it must be noted that an additional encryption done in the browser (like doing PGP by javascript) does not give protection against this kind of attack - the javascript code that does the PGP encryption can be modified when intercepted and the PGP passphrase can be delivered to the government.

A certificate that enables the attack can also be installed by company's security personnel (firewalls etc. are routinely used in companies to decrypt SSL/TSL/https traffic to search for malware), evil maid, evil customs officer or by malware that attacks user's computer.

On march 2017 Wikileaks published leaks from the hacking arsenal of the CIA (Central Intelligence Agency of USA). In some of those documents there are advices to malware writers of CIA: 'DO NOT solely rely on SSL/TLS to secure data in transit. Numerous man-in-middle attack vectors ... '. To read more about risks of browser based encryption see our risks of SSL page.

On August 21, 2019  Chrome, Safari and Firefox browsers started to issue an error message when they notice that this specific certificate from the government of Kazakhstan is being used, see https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/  and https://security.googleblog.com/2019/08/protecting-chrome-users-in-kazakhstan.html .

Home