The Kazakhtelecom JSC, the largest telecommunications company in Kazakhstan, announced that the government will require all citizens to install a “national security certificate” starting January 1, 2016. Kakakhstan citizens will have to go to www.telecom.kz to receive a prompt on how to install that certificate on Windows, Mac OS, Android and iOS.

Country-Wide "Superfish"

This would essentially mean that the government is trying to “Superfish” all of its citizens by giving itself the capability to decrypt all HTTPS traffic. The government will be able to see not just all encrypted traffic, but it will also be able to censor certain pages of content. Before HTTPS started being used by default by sites like Wikipedia, some governments would block those pages from being accessed.

Once Wikipedia and other sites moved to HTTPS, the governments had to choose whether to completely block them, or not, as it became an all or nothing proposition. Most often, at least for popular websites, they would decide not to do it, as too many people relied on them for all sorts of content.

Not using HTTPS also meant governments would see what type of content people were reading, whether in aggregate to see certain trends, or individually if they targeted anyone. With HTTPS that’s not possible anymore.

That’s why Kazakhstan, which presumably wants to maintain its censorship and surveillance powers, is now demanding all citizens to install its certificate. The “national security” reason is invoked, because that seems to make people more willing to accept it, even if the vast majority of uses of the certificate won’t be for national security purposes (or at least what is commonly regarded as actual national security, as the Kazakhstan government could interpret it however it wants, ultimately).

Security Risk

The problem even with this security argument is that it may in fact make Kazakhstan citizens less secure, not just against their own government, but against other criminals as well. We’ve learned earlier this year, with Lenovo’s Superfish and more recently with Dell’s own root certificate, that these certificates can pose a great security risk for computer users.

If hackers get ahold of the private key of that root certificate (and we can probably assume the Kazakhstan government doesn’t have world renown security in place to protect that private key), they could also use it to decrypt anyone’s communications.

It’s also going to be a very slow process to update those certificates if the government does find out its private key has been stolen. Unlike with Lenovo and Dell, which could either update the laptops themselves or rely on Microsoft to do it for them and remove those bad certificates, it could take years before most Kazakhstan citizens install the new certificate again.

How To Stop It

There are only two ways for Kazakhstan citizens to stop this now. One would be to protest against the move. The other is to ask technology companies to take measures against it by refusing to use that certificate for their services or apps.

Service providers could pin only certain certificates they can trust and not allow their sites to work with any other certificate. Browser vendors could also ban those certificates from being supported in their browsers, as they’ve already done with China’s root Certificate Authority.

Finally, the platform vendors (which are also the major browser vendors), such as Microsoft, Google and Apple, could update their operating systems to remove that certificate from their operating systems’ root stores.

They could even release future versions of their operating systems that would disallow any other root certificate than the default ones. This could annoy some power users who want to be able to test/install their own certificates, but in the vast majority of cases, consumers never try to install a root certificate themselves.

Microsoft, for instance, could still allow enterprise, or even Pro versions of Windows to install certificates. This would still protect most people against such abuses, whether from certain manufacturers’ bad certificates, or from more oppressive nation states.

Update, 12/3/15, 12:01am PT: The Tor Project announced that its website was blocked in Kazakhstan, but it provided a mirror link where people can download the Tor browser.

______________________________________________________________________



Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.