Aug. 7, 2019 update: The government has reversed its surveillance strategy, claiming the whole program was a “test” that is now complete, according to Reuters. If you installed a government root certificate on your device, you may now uninstall it without consequence. We have provided instructions in this article below for how to do so safely on Mac, Windows, Android, and iOS.

Governments around the world have fought against encryption, but Kazakhstan’s aggressive mass surveillance policy sets an alarming new precedent that may spread to other countries. We’re taking a look at how the recent online surveillance measures have affected Kazakhs, how to stay safe there, and how to defend your data from government spying anywhere.

On July 17, the government of Kazakhstan began coercing its citizens to install a root certificate on their devices that would allow the authorities to monitor everything they do online. The surveillance affects anyone trying to access certain websites, including Gmail, Facebook, Twitter, and YouTube. Once the certificate is installed, the government could access emails, read private messages, log browsing activity, and store login credentials.

The government calls these “security certificates” and insists installation is voluntary. “The introduction of a security certificate will help in the protection of information systems and data,” the Ministry of Digital Development said in an announcement to Kazakh Internet service providers (ISPs). But in reality, installing a fake root certificate only places personal data in jeopardy by exposing it to third parties.

The Kazakhstan government recently began using a fake root CA to perform a man-in-the-middle (MitM) attack against HTTPS connections to websites including Facebook, Twitter, and Google. #Kazakhstan #MitM

Read about it here: https://t.co/olVFhkSSxy — Censored Planet (@CensoredPlanet) July 23, 2019

Of course, few believe security is the government’s objective. In Kazakhstan, elections are few and unfair, and surveillance and state censorship are common. In fact, ProtonMail is one of the many online services, social media, and news portals that are blocked by the regime.

Back in 2015, the Kazakh government first tried to implement the root certificate attack but gave up under pressure from companies. We hope they fail a second time. In the meantime, ProtonMail will continue to provide technological tools to defeat censorship and protect individuals’ right to privacy. Read below for instructions to remove the Kazakh root certificate if you installed it, how to access VPN and Tor, and how to send secure emails no matter where you are.

Kazakhstan’s man-in-the-middle attack

When you access a website and establish a secure connection, your device knows it can trust the site’s server because of its certificate. These are typically issued by a trusted certificate authority and can’t be manipulated. In a man-in-the-middle attack, a third party inserts itself between the website’s server and the user’s device. They then decrypt, read, re-encrypt, and pass along the victim’s data to the real server without anyone knowing the attack took place.

This is exactly what the Kazakh government is doing, except they’re doing it by coercion. When users install the government’s root certificate on their browsers, it tells the browsers to trust government-issued TLS certificates. The government can then decrypt users’ HTTPS traffic. Users will still see the green lock in their browser’s URL bar, falsely indicating that their traffic is safely encrypted. This is a government-sanctioned man-in-the-middle attack.

The attack, first described by researchers at Censored Planet, affects users trying to reach some of the most popular websites in the world, including several Google and Facebook services. Those who try to access the Internet without the government-issued root certificate are being redirected to landing pages with instructions on how to install it.

“This list of domains suggests that the actual intention is instead to surveil users on social networking and communication sites,” Censored Planet said in its report.

Why Kazakhstan’s mass surveillance is particularly bad

HTTPS is a bedrock of what makes the Internet functional. When you log in to your bank account or buy something online, your credentials and credit card number are safe because of HTTPS. And trusted certificates are the bedrock of HTTPS. If we can’t trust certificates, then we can’t trust the Internet.

In the past, certificate authorities have been accused of, or have admitted to, selling fake root certificates to private entities for surveillance. It is conceivable that a certificate authority could be compelled or persuaded to sell one to a government. And there are plenty of governments that would be interested.

Just recently, the Chinese government made foreigners visiting the Xinjiang region install a malware app on their smartphone. The app, named BXAQ, collects all the calendar entries, contacts, call logs, and text messages stored on the phone and sends them to a government server. It even searches the device for specific files, like documents referring to the Dalai Lama or songs about Taiwan’s independence. If the malware detects these files, it notifies the Chinese authorities.

The US and Australia have also sought to weaken encryption, to the extent that has been possible under a democracy. Australia’s anti-encryption law lets the government force companies to infect their customers’ devices with malware designed to crack open private communications. And in the United States, Attorney General William Barr recently demanded companies create an encryption backdoor. So far, however, there have been no concerted efforts to do so.

William Barr gave a talk today at Fordham, on “going dark” and the need for encryption backdoors. A lot of this is old hat. The surprising thing is that it was the only subject of the talk: it seems like the Trump administration is serious about this. (Thread). — Matthew Green (@matthew_d_green) July 23, 2019

There is no such thing as a back door (or in this case, online surveillance tool) that can only be used by the good guys. The Shadow Brokers hack and the resulting WannaCry attack show what can happen when hackers get their hands on such tools. By forcing all Kazakh citizens to use the same certificate, the government is introducing a significant vulnerability. If hackers were able to get control of the certificate, they would have the same access to personal data as the government.

How to protect your data if you are in Kazakhstan

Once you install a compromised root certificate on your device, there is very little you can do to protect your data. Large organizations including Google, Microsoft, and Mozilla are debating whether they should block Kazakhstan’s malicious certificate, but so far they have not taken action.

The good news is that prevention is possible. Kazakh citizens should not install the root certificate. The government has said the certificate is not mandatory, no matter how persistently the ISPs push their users to download it. Any Kazakh citizen that has already installed the certificate should remove it from their device.

Below we have instructions that explain how to remove the Kazakhstan government certificate from Android, iOS, macOS, and Windows devices.

Note: Be careful. Removing root certificates can cause serious issues for your device. You should back up your data before doing so. Only remove the Qaznet Trust Network root certificate.



Mac

Open Utilities (Shortcut: Shift + Command + U) Double-click on KeyChain Access, select System Roots. Find the Qaznet Trust Network root certificate and double-click on it. In the window that pops up, under “Trust,” select “When using this certificate” and choose “never trust.”

Windows

Open the Microsoft Management Console by pressing Windows button + R and typing “MMC” Click File, then Add/Remove Snap-In Click Certificates, then Add Click Computer Account, then select Local Computer. Click OK. Click the arrow next to Certificates (Local Computer) to show all certificates (if nothing is listed, your device does not have the certificate) Select the arrow beside the Qaznet Trust Network root certificate Now click the Certificates folder Find the Qaznet Trust Network certificate, right-click it, and select Properties Select Disable all purposes for this certificate, then click Apply Restart your device

Android

Go to Settings Tap Security Tap Trusted Credentials Find the Qaznet Trust Network root certificate Slide the toggle switch over so that the certificate is disabled

iOS

Go to Settings, then tap General Tap Profile (if there are no profiles, your device does not have the certificate) Select the Qaznet Trust Network Profile Tap Delete Enter your iOS passcode to confirm

How to prevent Internet censorship and surveillance

For those in Kazakhstan or anywhere subject to Internet censorship and surveillance, there are a few techniques you can use to try to bypass blocks and protect your data.

Use a VPN service like ProtonVPN

A virtual private network (VPN) works by encrypting your Internet traffic between your device and the VPN server, which can be located in another country. ProtonMail provides a free VPN service that also shields DNS requests. In this way, the government cannot block websites at the ISP or DNS level. Unfortunately, the VPN servers themselves can be blocked. If that happens, there are other options.

Use different DNS servers

The Domain Name System allows you to enter a domain like protonmail.com and reach a ProtonMail server. Governments can censor websites by blocking them on local DNS servers. If this happens, you can try using free alternative DNS servers. Using any of those should allow the DNS block to be bypassed. Guides for setting a custom DNS for your operating system can be found below:

Windows || MacOS || Android || iOS || Linux

The Tor network

Tor is another tool that encrypts your Internet traffic, helps overcome censorship, and makes you harder to spy on. When connected to Tor using the Tor browser or Tails, your Internet traffic bounces through a series of random servers around the world, concealing your original IP address and making you extremely hard to track.

Service providers can also provide Tor hidden services that are harder to block. ProtonMail offers a Tor hidden service at protonirockerxow.onion. If ProtonMail is blocked, you can try accessing our onion site while connected to the Tor network. ProtonVPN also offers one-click Tor over VPN access.

How to send encrypted email

End-to-end encryption is the best way to ensure no one but you and your recipient can read your emails. ProtonMail makes this simple by automatically encrypting and decrypting messages between ProtonMail users on their devices. This ensures that even if an attacker or government intercepts the message, they cannot decrypt it. Follow the link to create a free encrypted email account.

Privacy is crucial to the healthy functioning of any democracy. The ability to share ideas and form opinions away from prying eyes is critical to free discourse, which is why authoritarian governments are always so eager to expand the surveillance state. As more and more of society has transitioned online, these autocratic governments are now trying to break encryption so that they can monitor everything there as well. We remain committed to our mission of creating a more private and secure Internet. Thank you for supporting our movement.

Best Regards,

The ProtonMail Team