Starting Wednesday, July 17, 2019, the Kazakhstan government has started intercepting all HTTPS internet traffic inside its borders.

Local internet service providers (ISPs) have been instructed by the local government to force their respective users into installing a government-issued certificate on all devices, and in every browser.

The certificate, once installed, will allow local government agencies to decrypt users' HTTPS traffic, look at its content, encrypt it again with their certificate, and send it to its destination.

Image via: Eugene on Bugzilla (Image source: RIPE Atlas)

Kazakh users trying to access the internet since yesterday have been redirected to web pages that contained instructions on how to install the government's root certificate in their respective browsers, may it be a desktop or mobile device.

For example, this is the page shown by local ISP Kcell, and this is another one that Beeline is showing to its customers.

Kazakhstan government says it's for the best

Local ISPs started forcing their customers into installing the government's root certificate yesterday, following an official government announcement.

In a statement posted on its website, the Kazakh Ministry of Digital Development, Innovation and Aerospace said only internet users in Kazakhstan's capital of Nur-Sultan will have to install the certificate; however, users from all across the country reported being blocked from accessing the internet until they installed the government's certificate. Some users also received SMS messages on their smartphones about having to install the certificates, according to local media.

Ministry officials said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats."

Government previously failed in 2015

The Kazakh government first tried to have all its citizens install a root certificate in December 2015. At the time, it ruled that all Kazakh user had to install their root certificate by January 1, 2016.

The decision was never implemented because the local government was sued by several organizations, including ISPs, banks, and foreign governments, who feared this would weaken the security of all internet traffic (and adjacent business) originating from the country.

At the same time in December 2015, the Kazakh government also applied with Mozilla to have its root certificate included in Firefox by default, but Mozilla declined.

Currently, browser makers like Google, Microsoft, and Mozilla are discussing a plan of action on how to deal with sites that have been (re-)encrypted by the Kazakh government's root certificate. No decision has been reached, at the time of writing.

Related government coverage:

