Internet users in the Asian state of Kazakhstan are being prompted to download a security certificate that gives the government greater monitoring powers.
Privacy advocates have warned that a new security certificate for internet browsers being promoted by the Kazakhstan government amounts to a countrywide man-in-the-middle (MITM) attack and “aims to spy on its citizens’ web traffic”.
According to Privacy News Online, an order was issued by the government on 17 July notifying ISPs that they must force customers to install a government root certificate on all of their online devices. Once installed, the government would be able to intercept, decrypt, analyse and reanalyse all encrypted HTTPS traffic.
Internet users in the country reported being redirected to pages asking them to install this new certificate and, in some cases, were prompted via text messages.
Downloading this certificate, Privacy News Online warned, would be a major threat to both internet privacy and security for Kazakhstani internet users. If this certificate is compromised by outside hackers, significant quantities of personal information could be obtained.
In a statement, the government said the new certificate is “aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, internet fraudsters and other types of cyberthreats”.
Such cyberthreats, according to Kcell – one of the country’s biggest telecoms providers – include viewing illegal content. Kazakhstan’s government maintains a tight grip on the country’s media, especially with the recent passing of a new media law that limits freedom of expression, according to OpenDemocracy.
On 19 July, the government issued a clarification to say that downloading the certificate was completely voluntary and was not needed to access the internet. As of yet, none of the major browsers have officially said they will ban the certificate, but they are investigating.
Privacy advocate Caleb Chen said that if a ban is enforced, the Kazakh government could either back down and pull back the certificate, or it could encourage internet users to use a state-run browser.