On Wednesday, Google, Apple, and Mozilla said their web browsers will block the Kazakhstan root Certificate Authority (CA) certificate – following reports that ISPs in the country have required customers to install a government-issued certificate that enables online spying.
According to the University of Michigan’s Censored Planet project, the country’s snoops “recently began using a fake root CA to perform a man-in-the-middle (MitM) attack against HTTPS connections to websites including Facebook, Twitter, and Google.”
A root CA certificate can, to put it simply, be abused to intercept and access otherwise protected communication between internet users and websites.
The Censored Planet report indicates that researchers first detected data interception on July 17, a practice that has continued intermittently since then (though discussions of Kazakhstan’s possible abuse of root CA certificates date back several years).
The interception does not appear to be widespread – it’s said to affect only 459 (7 per cent) of the country’s 6,736 HTTPS servers. But it affects 37 domains, largely social media and communications services linked to Google, Facebook, and Twitter domains, among others.
Kazakhstan has a population of 18m and 76 per cent internet penetration, according to advocacy group Freedom House, which rates it 62 on a scale of 100 for lack of internet freedom – 100 means no internet access.
Two weeks ago, the government of Kazakhstan said it had discontinued its internet surveillance scheme, initially justified as a way to improve cybersecurity, after lawyers in the country criticized the move.
In notifications to Kazakhstani telecom customers, mobile operators maintained that the government-mandated security certificate represented a lawful demand. Yet, in a statement on August 6, the National Security Committee of the Republic of Kazakhstan said the certificate requirement was just a test, and a successful one at that. And the committee provided instructions for removing the certificate from Android, iOS and Windows devices.
In 2015, Kazakhstan tried to get its root CA certificate into Mozilla trusted root store program but was rebuffed, and then tried to get its citizens to install the cert themselves until thwarted by legal action.
“As far as we know, the installation of the certificate is not legally required in Kazakhstan at this time,” a Mozilla spokesperson said in an email to The Register.