I don’t know about you but right now I wouldn’t want to be living in
Kazakhstan as the government issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in order to regain access to the Internet services.
The root certificate in question, labeled as “trusted certificate” or “national security certificate,” if installed, allows ISPs to intercept and monitor users’ encrypted HTTPS and TLS connections, aids the government in censoring content and gives them the ability to “spy” on their users.
So how exactly does all of this work?
Your device be it a phone or a computer, your web browser automatically trusts digital certificates issued by only a specific list of Certificate Authorities (CA) who have their root certificate installed on your system.
Therefore compelling Internet users into installing a root certificate that belongs to a Government Organisation gives them the authority to generate valid digital certificates for any domain they want to intercept through your HTTPS traffic.
Mohit Kumar From the Hacker News
The main concern is you have to install these certificates over a HTTP connection as the users are limited to HTTP until they install the certificate easily allowing an attacker to replace Certificate files using MiTM attacks.
We will be waiting for updates on how companies and web browsers will respond to the privacy infringement of the Kazakh citizens.