Experts Concerned Kazakhstan Plans to Monitor Users’ Encrypted Traffic

Yesterday, the national Internet service provider, Kazakhtelecom, published a press release introducing “the national security certificate”. The post, which stated that users would be required to instal the certificate on their devices, was soon removed from the company’s official website causing further speculation on the authorities’ plans to enable unlimited electronic surveillance.

According to the press release, the Committee for Communications, Informatization, and Information at the Ministry of Investment and Development, the public body entrusted to regulate the country’s Internet, would be introducing the national security certificate as of 1 January 2016. The move, it was explained, was done in accordance with the Law on Communications:

“According to the Law, the service providers are obliged to process traffic, using protocols supporting cryptography, that possess a security certificate with the exception of traffic encrypted by cryptographic protection tools on the territory of the Republic of Kazakhstan”.

The current version of the Law, however, does not include this norm. Moreover, the above quote does not require Kazakh service providers to use some new “national” certificate instead of those provided by websites themselves in accordance with the HTTPS protocol, which uses SSL or TLS encryption standards to protect user interactions with their sites.

To substantiate the introduction of the new measure, the company cited the “provision of protection for Kazakhstani users when accessing encrypted foreign Internet resources”. According to Kazakhtelecom’s Managing Director for Innovations, Nurlan Mejrmanov, the users must install the national certificate on all devices used to access the internet, including mobile ones. The national operator will publish step-by-step installation instructions on its website by the end of 2015 (see the cached Google page of the Kazakhtelecom press release).

The reaction across professional IT Media to the news was unanimous: the new certificate was branded as an instrument of surveillance for all encrypted traffic. “It seems that the certificate will be used not only for HTTPS connections but also for other TLS encrypted connections, including FTPS, IMAP and SMTP with TLS”, states habrahabr.ru. Technically speaking, the new certificate, when installed by a user, would replace the security certificates already installed on websites, with the national certificate ‘acting’ as an intermediary between a user and a site. This is precisely what encryption technologies were intended to eliminate.

This is effectively the same as a “Man in the Middle”, or MITM attack — whereby the data exchange between users (or between a user and web-site) experiences an unauthorized intrusion. The attacker is able to read or change the content exchanged between the users. According to the announced plans, citizens would voluntarily allow this to occur, by simply following a step-by-step installation manual provided by considerate government authorities. The invited ‘intermediary’ could potentially gain access to a great deal of user personal data, including banking information, such as cards CVV codes.

Securitylab.ru explained that after users entrust the root certificate provided by the Committee, the intelligence services could conduct unlimited MITM attacks and decode any encrypted data. Securitylab analysts believe that the initiative is intended to intercept all SSL traffic in the region. Daniil Vartanov, an IT expert from Bishkek, confirmed to Digital Report that this action will also affect Kyrgyz Internet users. “Many Kyrgyz ISPs connect to the internet through Kazakhstan and therefore their clients will face the same risks. There will be no difference from Kazakh users”, says Vartanov.

The experts interviewed for this report also believe that the move is likely to backfire. Many Internet-based corporations and major web sites create their own HSPS security rules, which prevent access to holders of a different certificate not approved by them. As a result, following a likely massive denial of access, browsers may potentially start automatically blocking the Kazakh “national certificate”. There may also be problems with the operating systems for portable devices. On Android devices, for example, replacing the root certificate causes constant system warnings that the traffic may be surveilled.

Eric Johnson, an internationally-recognized Internet security expert, told Digital Report that Kazakhtelecom does not clarify the exact purpose of the certificate. “At a minimum, the Kazakh authorities may become a TLS Certifying Authority (CA). This will only work if they are able to include their certificate into the Trusted CA store maintained by leading developers of software that monitor encryption certificates, such as Google (Android), Microsoft (Windows), Apple (Mac OS, iOS), Mozilla (Firefox) and others. I doubt they would allow this [the national Kazakh certificate]but one can never be sure. Some of them allowed the [Chinese certificate] CNNIC to be included, but at least one of these developers, Google, has declared its intention to remove it soon”.

Some countries have legally authorized the creation of their own CA to produce encryption certificates for government institutions. In theory, the authorities may require that all computers sold in a country should trust such a certificate by default and promote its adoption by citizens to avoid receiving “bad certificate” messages while browsing the internet. “When someone lets their operating system trust this or that Certifying Authority in the future, their browser will accept all certificates from this CA as entrusted, which will open the door for MITM attacks”, says Johnson.

“In the worst case scenario, the Kazakh authorities may start blocking all encrypted traffic which they cannot access using their certificate. However I do not know any example of a country where this would have been implemented”, continues Johnson. “This is not implemented in Iran, Vietnam, China or Ethiopia”.

According to Nicole Pelprot from The New York Times, this initiative looks like a “budget version” of the Chinese model, which uses expensive filtering technologies embedded in a powerful infrastructure complex. The low budget Kazakh option has the potential of opening doors to even bigger threats to the authorities themselves. Hacking of the national certificate and release of fake copies under the government’s name will provide criminals with access to all national traffic.

Vartanov sees the future as a dark anti-utopia, especially for user rights. “The Kazakhstani authorities may get access to any information their citizens exchange on the internet, including security credentials, credit card numbers, private photos, Gmail accounts, Whatsapp and Facebook messages. Even more dangerous, however, is the ability to replace any information a citizen sees on the internet, from website content to private emails”.

According to a statement released to local media by Shavkat Sabirov, the Head of the Internet Association of Kazakhstan,the t1 January 2016 date was announced prematurely, since the certification process has not yet been defined adding that “this is an issue which would take months”. One may suppose, based on this comment, that the legal foundation for the national security certificate is not yet finalized. “Kazakhtelecom rushed too far with this information”, says Sabirov, without denying any existing plans to develop the national security certificate.

The Committee for Communications, Informatization and Information at the Ministry of Investment and Development of Kazakhstan and Kazakhtelecom had not responded to Digital Report requests for an interview at the time of publishing. Online news outlet, Vlast.kz, however, has reported that the Vice-Minister of Investments and Development, Saken Sarsenov, has provided comment as of 4 December 2015 on the introduction of the national security certificate.“They (requirements) are directed at the content-providers who provide online services in https-traffic. We are now drafting by-laws which would regulate these issues. As soon as they are ready, we’ll publish them. […] The Security certificate is a digital key everyone would have by default. If someone does not want to install it, they will have the right not to do so. They will not have any issues accessing the internet”, says Sarsenov. According to him, only encrypted traffic going out of Kazakhstan will be regulated. “This would not be applied to users and resources providing services within the territory of Kazakhstan. I can assure you that privacy will not be violated in any way […] because it is guaranteed by the Constitution and all our Laws”, added Sarsenov.

Regardless of these official assurances, the unexpected posting of the notice coupled with its equally hasty removal has done little to quell concerns.