Kazakhstan man-in-the-middle attack
In 2015, the government of Kazakhstan created a root certificate which could have enabled a man-in-the-middle attack on HTTPS traffic from Internet users in Kazakhstan. The government described it as a "national security certificate". If installed on users' devices, the certificate would have allowed the Kazakh government to intercept, decrypt, and re-encrypt any traffic passing through systems it controlled.
In July 2019, Kazakh ISPs started messaging their users that the certificate, now called the Qaznet Trust Certificate, issued by the state certificate authority the Qaznet Trust Network, would now have to be installed by all users.
On August 21, 2019, Mozilla and Google simultaneously announced that their Firefox and Chrome web browsers would not accept the government-issued certificate, even if installed manually by users. Apple also announced that they would make similar changes to their Safari browser. As of August 2019[update], Microsoft has so far not made any changes to its browsers, but reiterated that the government-issued certificate was not in the trusted root store of any of its browsers, and would not have any effect unless a user manually installed it.
In December 2020, the Kazakh government attempted to re-introduce the government-issued root certificate for a third time. In response to this, browser vendors again announced that they would block any such attempt by invalidating the certificate in their browsers.
- Nurmakov, Adil (2015-12-05). "Experts Concerned Kazakhstan Plans to Monitor Users' Encrypted Traffic". Digital Report (in Russian). Retrieved 2019-07-18.
- Nichols, Shaun (3 Dec 2015). "Is Kazakhstan about to man-in-the-middle diddle all of its internet traffic with dodgy root certs?". www.theregister.co.uk. Retrieved 2019-07-18.
- "Kazakh government will intercept the nation's HTTPS traffic". IT PRO. Retrieved 2019-08-21.
- "MITM on all HTTPS traffic in Kazakhstan | Hacker News". news.ycombinator.com. Retrieved 2019-07-18.
- Afifi-Sabet, Keumars (19 July 2019). "Kazakh government will intercept the nation's HTTPS traffic". IT PRO. Retrieved 2019-07-19.
- Raman, Ram Sundara; Evdokimov, Leonid; Wustrow, Eric; Halderman, Alex; Ensafi, Roya (July 23, 2019). "Kazakhstan's HTTPS Interception". censoredplanet.org. University of Michigan. Retrieved 2019-08-21.
- Paris, Martine (2019-08-21). "Google and Mozilla block Kazakhstan root CA certificate from Chrome and Firefox". VentureBeat. Retrieved 2019-08-21.
- Thayer, Wayne (2019-08-21). "Protecting our Users in Kazakhstan". Mozilla Security Blog. Retrieved 2019-08-21.
- Whalley, Andrew (2019-08-21). "Protecting Chrome users in Kazakhstan". Google Online Security Blog. Retrieved 2019-08-21.
- Brodkin, Jon (2019-08-21). "Google, Apple, and Mozilla block Kazakhstan government's browser spying". Ars Technica. Retrieved 2019-08-22.
- Cimpanu, Catalin. "Kazakhstan government is intercepting HTTPS traffic in its capital". ZDNet. Retrieved 2020-12-18.
- Moon, Mariella (2020-12-18). "Tech giants will block Kazakhstan's web surveillance efforts again". Engadget. Retrieved 2020-12-18.