Google, Mozilla and Apple have taken the rare step of blocking an untrusted certificate from a government. Critics say Kazakhstan is forcing its citizens to install the certificate as part of an effort to monitor their internet traffic.
The country suffered a big international embarrassment during its June presidential election when big anti-regime protests broke out across the country. Since then officials under elected shoo-in candidate Kasym-Zhomart Tokayev appear to have been looking at ways of curtailing activists’ communications.
Guide to Qaznet put out by Mhelp.kz.
In July, internet service providers (ISPs) based in Kazakhstan were instructed to force users to install a government-issued root certificate on devices to allow agencies to intercept web traffic. The encryption-busting Qaznet Trust Certificate, which allows authorities to read anything a user types or posts using browsers, including account information and passwords, was launched in the nation’s capital Nur-Sultan in what officials described as a test run.
Next move unclear
Early in August, the authorities said they were done testing it and posted instructions for uninstalling the certificate. However, it is unclear whether the government is halting the process in response to international condemnations of their move or simply intends to use the certificate during selective events to crack down on protests before they are organised.
“We don’t take actions like this lightly,” said Marshall Erwin, Mozilla’s senior director of trust and security.
“[Google would] never tolerate any attempt, by any organization—government or otherwise—to compromise Chrome users’ data,” Google browser chief Parisa Tabriz said.
Apple said “technical solutions” would be introduced to block Qaznet in order to protect users of its Safari browser.
The Kazakh security service said on August 7 that it will use the system in the future "in the event of a threat to national security in the form of cyber and information attacks." The authorities have been blocking social media apps for months, mainly fearing the influence of fugitive banker Mukhtar Ablyazov, who has long been critical of the regime and has been constantly calling on his supporters to organise protests around the country to follow up on the election period demonstrations.
Shavkat Sabirov, president of the Internet Association of Kazakhstan, noted that the certificates can be stolen or hacked and “the attackers [could] get absolutely all the information about user data.”
A blog post from virtual private network (VPN) provider Private Internet Access characterised the move, commonly known in security circles as a man-in-the-middle (MiTM) attack, as one designed to "spy on citizens' internet traffic".