Kazakh government will intercept the nation’s HTTPS traffic

Internet service providers (ISPs) based in Kazakhstan are being instructed to force their users to install government-issued root certificates on their devices to allow agencies to intercept web traffic.

The increasingly-widespread Hyper Text Transfer Protocol Secure (HTTPS) refers to the transmission of data, ordinarily channelled via HTTP, sent instead over an encrypted connection. It's said to raise the level of security and privacy for web users.

The Kazakh government, however, has taken concrete steps towards bypassing this added layer of protection by launching an encryption-busting Qaznet Trust Certificate in the nation's capital Nur-Sultan, according to local media. This is more commonly known in security circles as a man in the middle (MiTM) attack.

When users install the certificate, government agencies are allowed to decrypt the HTTPS internet traffic, examine its contents, and re-encrypt the information with the certificate once more before it's sent to its destination.

The measures may undermine user privacy, with agencies now able to assess the websites a user visits, but the government has justified this by citing security concerns. One advantage, the vice-minister for digital development Ablaykhan Ospanov has claimed, is that it blocks users from visiting known phishing sites.

One Kazakh-based provider, Kcell JSC, has also published an advisory page explaining how users can install the root certificate onto their devices, blocking internet access to devices that haven't implemented the tool.

"The security certificate will help protect the information systems and data, as well as to detect hacker and cyber-attacks of the Internet fraudsters on the country's information space, private and banking sector before they can cause damage," the advisory said.

"The security certificate is a set of digital characters used to transfer traffic that contains protocols supporting encryption. Thus, it will allow local Internet users to be protected from hacker attacks and viewing illegal content."

The move was first attempted in 2015 but ended in failure after a host of organisations took legal action against the Kazakh administration.

In light of these developments, web developers have rekindled an old thread on Google Groups in which they're discussing Kazakhstan's measures and how to protect users from such "attacks".

The advent of the internet has been a thorn in the side of authoritarian regimes due to its inherently open nature. Governments of all stripes from across the world have attempted to control its citizens' use of the web in one flavour or another throughout recent history.

The Russian government, for example, has suggested taking the extreme step of building its own iteration of the world wide web. President Vladimir Putin rolled out plans in February to build its own self-sufficient segments to avoid foreign interference, according to Reuters.

China has held longstanding ambitions to build its own search engine with Google roped into a controversial programme known as 'Project Dragonfly'. The project, which was recently shelved, aimed to build its version of the world-famous engine designed to work within the strict parameters of censorship law.

Even the UK's Conservative government has faced criticism from privacy campaigners for its plans to order ISPs to implement automatic content blocking for certain websites.

Under the government's proposals, providers will task the British Board of Film Classification (BBFC) with implementing age checks on websites of which more than a third of the content is deemed 'pornographic'.

Although these plans were announced more than five years ago, they have failed to materialise and suffered several delays due to continued legal and technical concerns.

Keumars Afifi-Sabet
Contributor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.