The Internet Society and Internet Society Kazakhstan Chapter are deeply concerned about the recent actions taken by the Kazakh government – and how those actions affect the overall security of the Internet.
According to recent news reports and information from our Kazakhstan Chapter, since Thursday, 18 July 2019, users of Kazakh mobile operators trying to access the Internet have received text messages indicating that they need to install government-issued root certificates on their mobile and desktop devices.
Requiring Internet users to install root certificates that belong to the government could give the government the ability to intercept encrypted HTTPS traffic and perform a “machine-in-the-middle” (MITM) attack to break secure communication. This means that the government could see, monitor, record, and even block interactions between Kazakh users and any website, including banks, email providers, social networks – and critical public services like electricity, elections, hospitals, and transportation.
Representatives of the Kazakhstan government have indicated that installing this certificate is voluntary and is intended to help combat phishing attacks. However, once these certificates are installed, users have no way of knowing their communications are no longer secure. Browsers will still show a lock symbol or other indicator that the traffic is “encrypted and secure”.
Traffic that appears secure is not.
Introducing this weakness undermines the security of the Internet and erodes trust in the global public key infrastructure. Encryption technologies help keep people safe online by protecting the integrity and confidentiality of digital data and communications.
Every country has a right and duty to protect its citizens. Undermining the cryptographic systems in a way that could make any transaction vulnerable protects nobody, but puts people at risk. (Read more)
Encryption should be the norm for all Internet traffic, because that is necessary to ensure the Internet is safe and usable for citizens. Any measure taken to weaken that encryption makes us all more vulnerable.
We call on the government of Kazakhstan to stand together with us in ensuring that its citizens have the strong, secure communication mechanisms that allow them to participate in the global Internet.