Kazakhstan enables interception of HTTPS traffic of its citizens
Authorities of Kazakhstan have asked all major local ISPs to demand their customers to install government-issued root certificates. Some major ISPs have started re-directing all users’ HTTPS requests to a page which provides instructions for installing the national root certificates. This action is the second attempt for implementation of the amendments to the national Communications Law, passed in 2015. While the government and ISPs advertise the step as a security measure to reduce fraud and cybercrime, experts warn that this will allow authorities to invisibly intercept all the communications of its citizens to global HTTPS sites through a man-in-the-middle approach: ISPs will be able redirect encrypted traffic, intended for global services, to dedicated local snooping servers that pretend to be the requested global service – which will be trusted by user devices thanks to bogus certificates issued by the government. In addition, criminals may exploit the fact that the new certificates can only be downloaded from HTTP sites, and place own bogus certificates in computers around the country. Major browser makers, like Google, Mozilla and Microsoft, are discussing how to deal with sites that have been (re-)encrypted by the Kazakh government’s root certificate, ZDNet reports.