Kazakhstan man-in-the-middle attack

{{short description|State-actor security exploit by the government of Kazakhstan}}

In 2015, the government of Kazakhstan created a root certificate which could have enabled a man-in-the-middle attack on HTTPS traffic from Internet users in Kazakhstan. The government described it as a "national security certificate". If installed on users' devices, the certificate would have allowed the Kazakh government to intercept, decrypt, and re-encrypt any traffic passing through systems it controlled.{{Cite web |last=Nurmakov |first=Adil |date=2015-12-05 |title=Experts Concerned Kazakhstan Plans to Monitor Users' Encrypted Traffic |url=https://digital.report/experts-concerned-kazakhstan-plans-to-monitor-users-encrypted-traffic/ |archive-url=https://web.archive.org/web/20151205093315/https://digital.report/experts-concerned-kazakhstan-plans-to-monitor-users-encrypted-traffic/ |archive-date=2015-12-05 |access-date=2019-07-18 |website=Digital Report |language=en |url-status=dead }}{{Cite web |last=Nichols |first=Shaun |date=3 Dec 2015 |title=Is Kazakhstan about to man-in-the-middle diddle all of its internet traffic with dodgy root certs? |url=https://www.theregister.co.uk/2015/12/03/kazakhstan_to_maninthemiddle_all_internet_traffic/ |access-date=2019-07-18 |website=The Register |language=en}}

In July 2019, Kazakh ISPs started messaging their users that the certificate, now called the Qaznet Trust Certificate,{{Cite web |title=Kazakh government will intercept the nation's HTTPS traffic |url=https://www.itpro.co.uk/go/34051 |access-date=2019-08-21 |website=IT PRO |date=19 July 2019 |language=en}} issued by the state certificate authority the Qaznet Trust Network, would now have to be installed by all users.{{Cite web |last=Afifi-Sabet |first=Keumars |date=19 July 2019 |title=Kazakh government will intercept the nation's HTTPS traffic |url=https://www.itpro.co.uk/go/34051 |archive-url= |archive-date= |access-date=2019-07-19 |website=IT PRO |language=en}}{{Cite web |last1=Raman |first1=Ram Sundara |last2=Evdokimov |first2=Leonid |last3=Wustrow |first3=Eric |last4=Halderman |first4=Alex |last5=Ensafi |first5=Roya |date=July 23, 2019 |title=Kazakhstan's HTTPS Interception |url=https://censoredplanet.org/kazakhstan |archive-url= |archive-date= |access-date=2019-08-21 |website=Censored Planet |publisher=University of Michigan}}

Sites operated by Google, Facebook and Twitter appeared to be among the Kazakh government's initial targets.{{Cite web |last=Paris |first=Martine |date=2019-08-21 |title=Google and Mozilla block Kazakhstan root CA certificate from Chrome and Firefox |url=https://venturebeat.com/2019/08/21/google-and-mozilla-block-kazakhstan-root-ca-certificate-from-chrome-and-firefox/ |archive-url= |archive-date= |access-date=2019-08-21 |website=VentureBeat |language=en-US}}

On August 21, 2019, Mozilla and Google simultaneously announced that their Firefox and Chrome web browsers would not accept the government-issued certificate, even if installed manually by users.{{Cite web|url=https://blog.mozilla.org/security/2019/08/21/protecting-our-users-in-kazakhstan/|title=Protecting our Users in Kazakhstan|website=Mozilla Security Blog|language=en-US|access-date=2019-08-21|first=Wayne|last=Thayer|date=2019-08-21}}{{Cite web|url=https://security.googleblog.com/2019/08/protecting-chrome-users-in-kazakhstan.html|title=Protecting Chrome users in Kazakhstan|website=Google Online Security Blog|language=en|access-date=2019-08-21|first=Andrew|last=Whalley|date=2019-08-21}} Apple also announced that they would make similar changes to their Safari browser. {{As of|2019|08|df=US}}, Microsoft has so far not made any changes to its browsers, but reiterated that the government-issued certificate was not in the trusted root store of any of its browsers, and would not have any effect unless a user manually installed it.{{Cite web |last=Brodkin |first=Jon |date=2019-08-21 |title=Google, Apple, and Mozilla block Kazakhstan government's browser spying |url=https://arstechnica.com/tech-policy/2019/08/chrome-firefox-and-safari-updated-to-block-kazakhstan-government-spying/ |access-date=2019-08-22 |website=Ars Technica |language=en-us}}

In December 2020, the Kazakh government attempted to re-introduce the government-issued root certificate for a third time.{{Cite web |last=Cimpanu |first=Catalin |title=Kazakhstan government is intercepting HTTPS traffic in its capital |url=https://www.zdnet.com/article/kazakhstan-government-is-intercepting-https-traffic-in-its-capital/ |access-date=2020-12-18 |publisher=ZDNET |language=en}} In response to this, browser vendors again announced that they would block any such attempt by invalidating the certificate in their browsers.{{Cite web |last=Moon |first=Mariella |date=2020-12-18 |title=Tech giants will block Kazakhstan's web surveillance efforts again |url=https://www.engadget.com/tech-giants-browsers-block-kazakhstan-web-surveillance-080031499.html |access-date=2020-12-18 |publisher=Engadget |language=en}}