Browser makers Apple, Google, Microsoft, and Mozilla, have banned today a root certificate that was being used by the Kazakhstan government to intercept and decrypt HTTPS traffic for residents in the country’s capital, the city of Nur-Sultan (formerly Astana).
The certificate had been in use since December 6, 2020, when Kazakh officials forced local internet service providers to block Nur-Sultan residents from accessing foreign sites unless they had a specific digital certificate issued by the government installed on their devices.
While users were able to access most foreign-hosted sites, access was blocked to sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix, unless they had the certificate installed.
Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies.
Officials cited that cyberattacks targeting “Kazakhstan’s segment of the internet” grew 2.7 times during the current COVID-19 pandemic as the primary reason for launching the exercise.
The government’s explanation did, however, make zero technical sense, as certificates can’t prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers.
After today’s ban, even if users have the certificate installed, browsers like Chrome, Edge, Mozilla, and Safari, will refuse to use them, preventing Kazakh officials from intercepting user data.
Today’s ban also marks the second time the four browser makers banned a certificate issued by the Kazakh government for man-in-the-middle (MitM) attacks. They blocked a first one in August 2019, a certificate that was used to intercept traffic for various Russian and English-speaking social media sites.