Experts Suspicious about Kazakhstan’s Security Certificates

Published: 26 July 2019

Screenshot of a blocked internet connection without the security certificate

Screenshot of a blocked internet connection without the security certificate

By OCCRP

Since July 17, Kazakh mobile providers have been urging users, particularly in state capital Nur-Sultan, to install security certificates on their Internet devices without telling them that they would also allow web developers access to people’s private conversations.

 

The certificates are “to protect the country’s information space from hackers, online fraudsters and other types of cyber threats,” according to the official statement of Kazakh’s mobile company, Kcell.

If users don’t install the certificate on their phones, they may face limitations accessing certain websites, according to the statement.

Meanwhile, the website of the Ministry for Digital Development, Innovation and Aerospace Industry of the Republic of Kazakhstan announced that internet in Nur-Sultan is experiencing technical difficulties and advised people to install the security certificate.

The website qca.kz from which the certificate could be downloaded was first registered under the name of a private person. After harsh public criticism, the registration was changed to the National Coordination Center of Information Security of the Republic of Kazakhstan and the site was shut down.

By installing the certificate, web developers can decrypt users’ web history and read their private information, including emails and messages, according to The Next Web. Developers can then re-encrypt the history and send it to a third party via the “man-in-the-middle” process (MITM). Internet data collection system Ripe Atlas has already recorded MITM attacks on several websites in Kazakhstan, including Facebook, Gmail, Google, Youtube, and Vk.com

Several residents of Nur-Sultan complained about internet connectivity problems when trying to access these websites.

“Once the certificate is installed in the devices, it is technically feasible to only allow citizens to access the domains that are approved by the national certification authority. This basically means that the Government of Kazakhstan can decide which domains they want to monitor or block”, experts from Quirium Media Foundation said about the situation. 

They also said that installing certificates may not be the best way to prevent cyber attacks.

“It seems obvious that the purpose of such certificate is the ability to screen communications,” the Foundation said.

Nevertheless, installing the certificate is optional. According to Ablaykhan Ospanov, Vice Minister of Digital Development of Kazakhstan, each mobile user can use the certificate at their discretion if they want to secure themselves from phishing and other hacking attempts. 

Ospanov hasn’t installed the certificate himself but promised to do so when he receives the message from his mobile provider.

This is not the first attempt to control the internet in Kazakhstan. A similar one in 2015 involved plans to pass legislation on the national security certificate, which allowed content prohibited by courts or Kazakh laws to be blocked. The certificate was also distributed through mobile providers but was canceled after multiple complaints from various organizations.

Kazakhstan has not had internet freedom for the last four years, according to Freedom House.