venustus

Level 45
Verified
Trusted
Content Creator
If you are in Kazakhstan and unable to access the Internet service without installing a certificate, you're not alone.

The Kazakhstan government has once again issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in order to regain access to the Internet services.

The root certificate in question, labeled as "trusted certificate" or "national security certificate," if installed, allows ISPs to intercept and monitor users' encrypted HTTPS and TLS connections, helping the government spy on its citizens and censor content.

In other words, the government is essentially launching a "man in the middle" attack on every resident of the country.

But how installing a "root certificate" allow ISPs to decrypt HTTPS connection? For those unaware, your device and web browsers automatically trust digital certificates issued by only a specific list of Certificate Authorities (CA) who have their root certificates installed on your system.


Therefore compelling Internet users into installing a root certificate that belongs to a Government Organisation gives them the authority to generate valid digital certificates for any domain they want to intercept through your HTTPS traffic.

Starting from April this year, Kazakh ISPs began informing their users about the "national security certificate" that would be mandatory to install in order to continue uninterrupted access to a list of "allowed" HTTPS websites.

Now, Tele2, one of the major Kazakh ISPs, has finally started redirecting all HTTPS connections of its customers to a web page containing certificate files and instructions on how to install it on Windows, macOS, Android, and iOS devices.

One of the most serious security implications we can easily spot here is that — since users can only browse non-HTTPS sites before installing the certificates, the Cert files are available for download only over insecure HTTP connections, which can easily allow hackers to replace Certificate files using MiTM attacks.
 

Nightwalker

Level 16
Verified
Content Creator
If they can only navigate with HTTP, they will be filled with Virus .....
No comment.:)
HTTPS isnt about malware protection, it is all about trust and privacy, it trys to eliminate the possibility of connection hijack by a third party using encryption; for example in a HTTPS connection (without a malicious root certificate) a ISP cant inject ads in its user browser nor can modify its traffic.

If Kazakhstan citizens are using HTTP the result will be the same as using HTTPS with the national root certificate and that is traffic manipulation, hijack, code injection and censorship (although there are simple ways to enforce this).

Edit: Grammar check.
 
Last edited:

bribon77

Level 27
Verified
HTTPS isnt about malware protection, it is all about trust and privacy, it trys to eliminate the possibility of connection hijack by a third party using encryption; for example in a HTTPS connection (without a malicious root certificate) a ISP cant inject ads in its user browser nor can modify its traffic.

If Kazakhstan citizens are using HTTP the result will be the same as using HTTPS with the national root certificate and that is traffic manipulation, hijack, code injection and censure (although there are simple ways to enforce this).
And the page can be supplanted by Cybercriminals as well. Whatever it is, I do not like the measure taken by that country with its Internet users.
 

Slyguy

Level 41
Verified
So, blatant abuse of trusted certificates by the CA.

Hmmmm...... a weakness here. What is the CA going to do about this now that a precedent has being set?
Actually it isn't and there is nothing that can be done. The CA is the govt. themselves. Anyone can issue a CA for local installations on machines through acceptance of TOS and download of the Certificate. I can issue one right now to my desktops and intercept all traffic in real-time. There is no permission or licensing required at all.

This is how UTM's like Fortinet intercept/monitor HTTPS activity on their networks. Fortigate appliance generates a Root CA, which is then installed on each machine. But an entire country doing this is absolutely ridiculous and unprecedented. This amounts to a country wide MiTM.

However, as most people know - a VPN also installs a RCA. OpenVPN for example requires a CA on installation of the package. The reason for this is so the VPN can basically MiTM all traffic and route it over the VPN servers after generating the local encryption key. However with the locally installed RCA the machine cannot effectively be trusted any longer, with or without a VPN in place on the machine. Basically, everyone in that country has had their machines commandeered by the govt. and their ISP.
 
Last edited:

Nightwalker

Level 16
Verified
Content Creator
Normally, using SSL with OpenVPN means you have to install a root certificate manually in the configuration file, and then your client will trust any server-flagged certificate signed by that authority. It doesn't use the global chain of trust, it trusts one thing, and that thing is configured in plaintext in the config file.

If you don't put the Kazakhstan root cert into that file, then OpenVPN won't trust it, and your traffic should successfully tunnel to your endpoint. From there, it will surface onto the Internet like any normal traffic would, so you also want to be using https without the Kazkh cert in your browser's trust store.

Even if you're running the VPN, having the Kazakh cert in your store is dangerous, because they're actively using that cert to attack your security. They might not be able to inject it into foreign endpoints, but they're a government, and governments are able to do things that are well beyond the reach of ordinary cyber-criminals.

With VPN and without the Kazakh cert in your browser, you should be safe, and if your VPN is configured correctly, they will only be able to see the single encrypted connection leaving their country. They will know it exists, but not its content. Advanced traffic analysis may give away some of what you're visiting (there are probably particular patterns of packet sizes and timings if you're visiting say, Amazon or Reddit), but they shouldn't be able to figure out who you are or what you're actually reading. (edit: well, they'll know who you are in real life, because they'll see the connection going to your house. They shouldn't be able to determine which online identities are yours, however, unless you leak info in other ways, like over-sharing on social media sites.)

And even the claim that they might be able to tell a few sites that you visit is merely a guess. I have no hard evidence suggesting that this is true, merely a supposition.
From Reddit:
https://www.reddit.com/r/netsec/comments/cewyzu/_/eu5vgi8
I share the same opinion as this guy, but we cant confirm this yet.

A computer without the certificate connecting to a trustable VPN via Wstunnel should be safe.
 

SeriousHoax

Level 7
Verified
Malware Tester
Even if people of Kazakhstan install it on their PC it's not gonna work on Firefox as Firefox uses its own certificate store. It's gonna be interested to see what Firefox do. If the government is serious about this then they might ban Firefox from the country if they don't comply.
 

upnorth

Level 32
Verified
Trusted
Content Creator