Government officials in Kazakhstan are borrowing a page from China, quietly devising their own version of China’s so-called Great Firewall to unscramble encrypted web and mobile traffic as it flows in and out of Kazakh borders.
The move to intercept encrypted communications — which is scheduled to begin in January — will effectively allow Kazakh officials to monitor, or even block, vast swaths of digital content for Kazakh Internet and mobile users.
Kazakhstan’s largest telecommunications company, Kazakhtelecom JSC, said in a news release that it and other operators were “obliged” by law to intercept encrypted web and mobile connections flowing into its borders, beginning Jan. 1. The company advertised the move as a way to “secure protection of Kazakhstan users” who have access to encrypted content from “foreign Internet resources. ”
But, in effect, it will do the opposite, exposing Kazakh users’ private communications to snooping.
After The New York Times sent repeated requests for clarification to officials at Kazakhstan’s embassy in Washington on Wednesday evening, the announcement was removed from Kazakhtelecom JSC’s website. Embassy officials did not return requests for comment.
Unlike with China, which filters data through an expensive and complex digital infrastructure known as the Great Firewall, security experts say Kazakhstan is trying to achieve the same effect at a lower cost. The country is mandating that its citizens install a new “national security certificate” on their computers and smartphones that will intercept requests to and from foreign websites.
That gives officials the opportunity to read encrypted traffic between Kazakh users and foreign servers, in what security experts call a “man in the middle attack.”
As a result, Kazakh telecom operators, and government officials, will be privy to mobile and web traffic between Kazakh users and foreign servers, bypassing encryption protections known as S.S.L., or Secure Sockets Layer, and H.T.T.P.S., technology that encrypts browsing sessions and is familiar to users by the tiny padlock icon that appears in browsers.
Corporations adopt similar systems to keep employees from visiting certain websites at work, to guard against information theft, or scan for malicious computer viruses.
But analysts say that the Kazakhstan plan may be intended for government monitoring.
According to Human Rights Watch, the Kazakhstan government has escalated a crackdown on news media since 2012, blocking websites, banning newspapers and broadcasters, and in one case, submitting a journalist to forced psychiatric observation.
“Given the style of government of Kazakhstan, I think we can assume that this is simply part of their censorship apparatus,” said Steven M. Bellovin, a professor of computer science at Columbia University. “It’s a serious security risk for Kazakh users both technically and in their inability to send and receive private communications.”
Mr. Bellovin also noted that Kazakhstan’s system would be a tempting target for hackers or other governments. “Anyone who hacked these boxes would also be able to monitor traffic,” he said.
In 2011, hackers inside Iran enacted a similar monitoring technique. Instead of compelling Iranian users to download a government-issued certificate, Iranian hackers compromised a publicly trusted Dutch certificate authority, DigiNotar, and issued fake certificates to spy on the communications of 300,000 Iranian Gmail users.
After the attack was made public, Google, Microsoft, Adobe and other major technology companies blacklisted certificates issued by DigiNotar, which went bankrupt several months later.
If Kazakhstan goes through with its state-issued “national security certificate,” companies like Google, Facebook and Microsoft could choose to blacklist the Kazakh certificate authority, as they did with DigiNotar in 2011, and wide swaths of Internet content would be inaccessible to users inside Kazakhstan.
Google uses a system known as “public key pinning” for its Chrome web browser, Chromebook PCs and Android phones, which restricts the set of certificate authorities allowed to vouch for a particular website. For certain websites, including Google, Facebook and the Tor Project, which provides anonymity software, Chrome trusts only a subset of certificate authorities.
If Kazakh users download the new government-mandated certificate to their devices as a trusted authority, public key pinning would not stop users from being able to access listed websites, it would only warn users that their connection may be intercepted.
It would be up to Google, Microsoft and other major web services to decide whether to blacklist the Kazakh certificate authority altogether.
Aaron Krolik contributed reporting.