Kazakhstan man-in-the-middle attack

From Wikipedia, the free encyclopedia

In 2015, the government of Kazakhstan created a root certificate which could have enabled a man-in-the-middle attack on HTTPS traffic from Internet users in Kazakhstan. The government described it as a "national security certificate". If installed on users' devices, the certificate would have allowed the Kazakh government to intercept, decrypt, and re-encrypt any traffic passing through systems it controlled.[1][2]

In July 2019, Kazakh ISPs started messaging their users that the certificate, now called the Qaznet Trust Certificate,[3] issued by the state certificate authority the Qaznet Trust Network, would now have to be installed by all users.[4][5][6]

Sites operated by Google, Facebook and Twitter appear to be among the Kazakh government's initial targets.[7]

On August 21, 2019, Mozilla and Google simultaneously announced that their Firefox and Chrome web browsers would not accept the government-issued certificate, even if installed manually by users.[8][9] Apple also announced that they would make similar changes to their Safari browser.[7] As of August 2019, Microsoft has so far not made any changes to its browsers, but reiterated that the government-issued certificate was not in the trusted root store of any of its browsers, and would not have any effect unless a user manually installed it.[10]

In December 2020, the Kazakh government attempted to re-introduce the government-issued root certificate for a third time.[11] In response to this, browser vendors again announced that they would block any such attempt by invalidating the certificate in their browsers.[12]


  1. ^ Nurmakov, Adil (2015-12-05). "Experts Concerned Kazakhstan Plans to Monitor Users' Encrypted Traffic". Digital Report (in Russian). Retrieved 2019-07-18.{{cite web}}: CS1 maint: url-status (link)
  2. ^ Nichols, Shaun (3 Dec 2015). "Is Kazakhstan about to man-in-the-middle diddle all of its internet traffic with dodgy root certs?". www.theregister.co.uk. Retrieved 2019-07-18.
  3. ^ "Kazakh government will intercept the nation's HTTPS traffic". IT PRO. Retrieved 2019-08-21.
  4. ^ "MITM on all HTTPS traffic in Kazakhstan | Hacker News". news.ycombinator.com. Retrieved 2019-07-18.
  5. ^ Afifi-Sabet, Keumars (19 July 2019). "Kazakh government will intercept the nation's HTTPS traffic". IT PRO. Retrieved 2019-07-19.
  6. ^ Raman, Ram Sundara; Evdokimov, Leonid; Wustrow, Eric; Halderman, Alex; Ensafi, Roya (July 23, 2019). "Kazakhstan's HTTPS Interception". censoredplanet.org. University of Michigan. Retrieved 2019-08-21.
  7. ^ a b Paris, Martine (2019-08-21). "Google and Mozilla block Kazakhstan root CA certificate from Chrome and Firefox". VentureBeat. Retrieved 2019-08-21.
  8. ^ Thayer, Wayne (2019-08-21). "Protecting our Users in Kazakhstan". Mozilla Security Blog. Retrieved 2019-08-21.
  9. ^ Whalley, Andrew (2019-08-21). "Protecting Chrome users in Kazakhstan". Google Online Security Blog. Retrieved 2019-08-21.
  10. ^ Brodkin, Jon (2019-08-21). "Google, Apple, and Mozilla block Kazakhstan government's browser spying". Ars Technica. Retrieved 2019-08-22.
  11. ^ Cimpanu, Catalin. "Kazakhstan government is intercepting HTTPS traffic in its capital". ZDNet. Retrieved 2020-12-18.
  12. ^ Moon, Mariella (2020-12-18). "Tech giants will block Kazakhstan's web surveillance efforts again". Engadget. Retrieved 2020-12-18.