While software companies like Mozilla are trying to improve user-privacy on the internet, the Kazakhstan government has taken an insane step to intrude the privacy of the people using internet in the country by forcing them to install a root certificate issued by the government.
The government of Kazakhstan has instructed all the major Internet Service Providers to allow users access to HTTPS websites only after they have installed the root certificate. In case the user is not willing to do this and tries to open any encrypted web page, the ISP will redirect him/her to a static page which provides instructions to install the certificate in the web browser of choice.
The certificate is labeled as trusted certificate or national security certificate. If the user installs the certificate, ISPs can access the encrypted HTTPS and TLS network traffic which will further help the government to censor content they wish to block.
It is worth noting that the steps for implementing this started four months back by the Kazakhstan government as ISPs started notifying users about the national security certificate. They are even sending out SMS messages to people in the country instructing them to install the certificate.
Since the users can access only non HTTPS websites without installing the root certificate, the certificates are transmitted through an unencrypted HTTP connection which makes it easy for hackers to alter the root certificate and get complete access to the user’s usage patterns and can even lead to fraud and identity theft.
This scenario can be seen as a Man in the Middle(MITM) attack by the government. Sounds scary? It should. We’ll have to wait to see how major tech companies react to this move by the government. However, a bug has been already opened on Mozilla’s Bugzilla page where people are discussing the situation.