Under the guise of a “cybersecurity exercise,” the Kazakhstan government is forcing citizens in its capital of Nur-Sultan (formerly Astana) to install a digital certificate on their devices if they want to access foreign internet services.
Once installed, the certificate would allow the government to intercept all HTTPS traffic made from users’ devices via a technique called MitM (Man-in-the-Middle).
Starting today, December 6, 2020, Kazakh internet service providers (ISPs) such as Beeline, Tele2, and Kcell are redirecting Nur-Sultan-based users to web pages showing instructions on how to install the government’s certificate.
Earlier this morning, Nur-Sultan residents also received SMS messages informing them of the new rules.
This is the Kazakh government’s third attempt at forcing citizens to install root certificates on their devices after a first attempt in December 2015 and a second attempt in July 2019.
Both previous attempts failed after browser makers blacklisted the government’s certificates.
Government calls it a cybersecurity training exercise
In a statement published on Friday, Kazakh officials described their efforts to intercept HTTPS traffic as a cybersecurity training exercise for government agencies, telecoms, and private companies.
They cited the fact that cyberattacks targeting “Kazakhstan’s segment of the internet” grew 2.7 times during the current COVID-19 pandemic as the primary reason for launching the exercise.
Officials did not say how long the training exercise will last.
The Kazakh government used a similarly vague statement last year, in 2019, describing its actions as a “security measure to protect citizens.”
2019 interception efforts targeted social media sites
The government’s 2019 HTTPS interception effort targeted 37 domains, all social media and communications websites, such as domains for Facebook, Google, Twitter, Instagram, YouTube, and VK, along with a few smaller sites.
The 2015 attempt targeted all internet traffic for interception, which immediately drew the ire of foreign governments, financial institutions, and telecoms — all of which threatened the Kazakh government with lawsuits for having sensitive traffic and private information intercepted.
Representatives for major browser makers, pivotal in blocking the Kazakh government’s first two attempts to backdoor HTTPS traffic, couldn’t be immediately reached for comment over the weekend, but, as before, they’re expected to block this certificate as well.