- Dec 30, 2012
- 4,809
If you are in Kazakhstan and unable to access the Internet service without installing a certificate, you're not alone.
The Kazakhstan government has once again issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in order to regain access to the Internet services.
The root certificate in question, labeled as "trusted certificate" or "national security certificate," if installed, allows ISPs to intercept and monitor users' encrypted HTTPS and TLS connections, helping the government spy on its citizens and censor content.
In other words, the government is essentially launching a "man in the middle" attack on every resident of the country.
But how installing a "root certificate" allow ISPs to decrypt HTTPS connection? For those unaware, your device and web browsers automatically trust digital certificates issued by only a specific list of Certificate Authorities (CA) who have their root certificates installed on your system.
Therefore compelling Internet users into installing a root certificate that belongs to a Government Organisation gives them the authority to generate valid digital certificates for any domain they want to intercept through your HTTPS traffic.
Starting from April this year, Kazakh ISPs began informing their users about the "national security certificate" that would be mandatory to install in order to continue uninterrupted access to a list of "allowed" HTTPS websites.
Now, Tele2, one of the major Kazakh ISPs, has finally started redirecting all HTTPS connections of its customers to a web page containing certificate files and instructions on how to install it on Windows, macOS, Android, and iOS devices.
One of the most serious security implications we can easily spot here is that — since users can only browse non-HTTPS sites before installing the certificates, the Cert files are available for download only over insecure HTTP connections, which can easily allow hackers to replace Certificate files using MiTM attacks.
The Kazakhstan government has once again issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in order to regain access to the Internet services.
The root certificate in question, labeled as "trusted certificate" or "national security certificate," if installed, allows ISPs to intercept and monitor users' encrypted HTTPS and TLS connections, helping the government spy on its citizens and censor content.
In other words, the government is essentially launching a "man in the middle" attack on every resident of the country.
But how installing a "root certificate" allow ISPs to decrypt HTTPS connection? For those unaware, your device and web browsers automatically trust digital certificates issued by only a specific list of Certificate Authorities (CA) who have their root certificates installed on your system.
Therefore compelling Internet users into installing a root certificate that belongs to a Government Organisation gives them the authority to generate valid digital certificates for any domain they want to intercept through your HTTPS traffic.
Starting from April this year, Kazakh ISPs began informing their users about the "national security certificate" that would be mandatory to install in order to continue uninterrupted access to a list of "allowed" HTTPS websites.
Now, Tele2, one of the major Kazakh ISPs, has finally started redirecting all HTTPS connections of its customers to a web page containing certificate files and instructions on how to install it on Windows, macOS, Android, and iOS devices.
One of the most serious security implications we can easily spot here is that — since users can only browse non-HTTPS sites before installing the certificates, the Cert files are available for download only over insecure HTTP connections, which can easily allow hackers to replace Certificate files using MiTM attacks.
