Last month, the government of Kazakhstan began to distribute a root certificate around the population which would allow it to spy on its citizens’ web traffic. In response, Google, Apple, and Mozilla have today updated their browsers to no longer function if web traffic is encrypted using the government’s root certificate.
The surveillance system relied on ISPs forcing users to install a security certificate on every device and browser, which would allow the government to decrypt and analyze supposedly secure web traffic.
The system was first introduced on July 17, when users were automatically redirected to pages with installation instructions for the root certificate, though users were not forced to download it. According to a report by the group Censored Planet only a few websites were being targeted for HTTPS interception, most notably Facebook, Google, Instagram, YouTube, and Russian social network VK.
Kazakhstan stopped the interception in early August and claimed that it was a trial before a larger rollout.
At the time, the Kazakh Ministry of Digital Development, Innovation and Aerospace claimed that the decision was “aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats.”
President of Kazakhstan Kassym-Jomart Tokayev said that he had personally ordered the trial, and that protective measures “would not inconvenience Kazakh internet users.”
The decision by Google and Mozilla is likely to force the end of Kazakhstan’s attempt to intercept HTTPS traffic, but it is unlikely to be the end of Kazakhstan’s violations of human and digital rights.
In May of this year, the government blocked access to social media and news websites during Victory Day, which was first celebrated in the country in 1947 and has continued since Kazakhstan’s independence after the fall of the Soviet Union in 1991. Several anti-government protestors were arrested during the 2019 ceremonies.
In a statement given to ZDNet, an Apple spokesperson said: “Apple believes privacy is a fundamental human right, and we design every Apple product from the ground up to protect personal information. We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue.”