Once installed on the user's device, the certificate will allow the authorities to intercept all HTTPS traffic.In the capital of Kazakhstan, Nur-Sultan, cyber training took place, in which citizens had to install a national security certificate on their devices.
Over the past five years, this is the third attempt by the government of Kazakhstan to oblige citizens to install root certificates on their devices if they want to access foreign Internet resources. Once installed on the user's device, the certificate will allow the authorities to intercept all HTTPS traffic using a Man-in-the-Middle (MitM) attack.
As reported in December 2015, the Law of the Republic of Kazakhstan "On Communications" obliges telecom operators to pass foreign encrypted traffic using a security certificate. It was assumed that the new national security certificate should protect citizens of Kazakhstan during access to encrypted foreign Internet resources. However, at that time, the operation to implement certificates was never carried out. For the second time, major Kazakhstani providers, including Kcell, Beeline, Tele2 and Altel, tried to implement HTTPS interception systems in 2019, but browser manufacturers added a government certificate to the blocked list.
On December 6, 2020, in the capital of Kazakhstan , the cyber training "Cybersecurity Nur-Sultan 2020" was held, which became the third attempt to install certificates on the devices of Kazakhstanis. During the event, telecom operators redirected their subscribers to a web page with instructions for installing the root certificate and sent out SMS messages notifying citizens of the new rules.
“From December 6, the exercises “Cybersecurity Nur-Sultan 2020” are being held in Nur-Sultan. To preserve access to some foreign Internet resources, we ask you to install a security certificate on all your devices, ”read the text of the SMS-message.
On December 6, Internet users in the capital complained about the inability to access Google, Twitter, YouTube, Facebook, Instagram and Netflix without a certificate. The Ministry of Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan (ICRIAP) apologized for the inconvenience.
“We tried to conduct these exercises in such a way that our citizens would not feel the inconvenience that these exercises create as much as possible. We apologize for any inconvenience caused. Of course, this affected the work of foreign Internet resources. Why we started on the weekend - it was due to the fact that at this time a person is as free as possible, there are no working moments. At this time, we probably caused a minimum of inconvenience to our citizens, ”the Sputnik news agency quoted Ruslan Abdikalikov, chairman of the ICRIAP Information Security Committee, as saying.
According to Abdikalikov, all activities with the use of the security certificate have now been completed. There remains only the phase of cyber exercises related to repelling hacker attacks on government agencies.Cyber exercises are carried out in order to check the readiness of state bodies, information security units, operational information security centers and critical information facilities to resist cyber threats.