back to article Is Kazakhstan about to man-in-the-middle diddle all of its internet traffic with dodgy root certs?

Kazakhstan may be about to intercept and decrypt its citizens' internet traffic – by ordering them to install rogue security certificates. On Monday, the nation's dominant telco Kazakhtelecom JSC said it and other operators are "obliged" by law to crack open people's HTTPS connections, and that this surveillance will begin …

  1. Gio Ciampa
    Big Brother

    Forget the Russians - don't tell our lot!

    1. This post has been deleted by a moderator

      1. Anonymous Coward
        Anonymous Coward

        Shush!

        Never let a politician know. They may want to reduce the computing spend, and put the money into human assets.

        Not good for kickba...., errr annual bonuses

        1. Anonymous Coward
          Black Helicopters

          Re: Shush!

          WTF happened to my post??? Last I looked, it was pootling along nicely, diligently devoid of even a sniff of an expletive and having garnered a dozen or so upvotes and not a single downvote... then POOF!... dark forces obliterated it.

          What the hell happened?

  2. Natalie Gritpants

    Just browse the web in English

    If their Kazakh to English translator is anything to go by they won't have a clue what you're up to.

  3. veti Silver badge
    Black Helicopters

    I'm pretty sure the Russians, as well as GCHQ, NSA and the rest of them, have thought about this one long ago. Heck, they've probably got draft proposals sitting in a drawer somewhere.

    But they've all rejected it as either too blatant, or just plain unnecessary. GCHQ, I know, don't give a damn' about HTTPS - it's no obstacle to snooping, and they're not interested in censorship, so it doesn't concern them.

    (The Home Office now, that's a different story. They'd be interested in the censorship angle, if they understood it. But fortunately all that expertise is closeted away in GCHQ, who are quite happy with their "unlimited spying" remit and don't want to draw unnecessary attention by getting involved with anything higher-profile than that.)

  4. Robert Moore

    Kazakhstan

    Kazakhstan greatest country in the world all other countrys are run by little girls.

    Kazakhstan number one exporter of potassium!

    Other countries have inferior potassium.

    .

    .

    .

    How can such a great country do this?

    Now where will I get my potassium?

    1. Anonymous Coward
      Anonymous Coward

      Re: Kazakhstan for Make Benefit Glorious Nation happiness

      Having actually been on holiday to Kazakhstan, I can confirm that it is the origin country of THE APPLE

      (no, the fruit, not the expensive shiny stuff) with DNA traced all the way back to the eastern Tien-Shen mountains

      oh, the .KZ might just be on the look out for a colorful revolution or two, depends with these oily states, sometimes president for life gets 'spontaneously' sidelined & I'm sure they have a large Жүйесі жедел-iздестiру iс-шаралары / Система Оперативно-Розыскных Мероприятий /PRISM full-take already in place.

      It's the only place I've been where I went through full Airport security-theatre body scanning AFTER landing, I think they were after taxable items/special devices, or apples?

  5. Panopticon

    Not News

    Not news, spies are already doing it to peoples handset's and computer kernel.

    Turks-Trust, Equifax (NSA), MasterCard & Visa, Root Government CA.

    What makes it news is when people figure it out and hover a button over those Certificates and then press Delete removing there back-door whilst utilising an alternative.

    So called Leaders and politicians still don't understand encryption anything that protect's information from prying thieving butt-holes like them must be banned because it makes stealing all that technical stuff so much more difficult.

    As for Russia, those Baikal chips are named after a Lake.. So...

    (B)Lake encryption algorithm for the Win!

    1. Anonymous Coward
      Anonymous Coward

      Re: Not News

      but then press Delete removing there back-door whilst utilising an alternative. most OS'ses & Browsers automagically reinsert the full caboodle of untrustworthy trust anchors

      ( CA/Browser forum is another not quite transparent bunch ) showing some signs of improving

      I have a hardened windows server at home that surprisingly only has a handful of CAs; Now I wonder why that is Micro$oft?

      1. Anonymous Coward
        Anonymous Coward

        Re: Not News

        "a hardened windows server" !?!

        LMAO!

        Nice one.

        "Now I wonder why that is Micro$oft"

        Gosh, why indeed.

  6. Mark 85 Silver badge

    We believe that by ordering people to install the cers on their machines and handhelds, Kazakhstan will be the first country to resort to such measures.

    Hmm... This is probably the first country to admit it. I'm not sure why any country would admit such a thing unless there is something political to gain by announcing it.

  7. David Roberts
    Linux

    Yes! Year of the Linux desktop!

    The announcement only seems to apply to Windows on PCs .

    {Linux Penguin victory dance}

    1. hughca
      Coat

      Re: Yes! Year of the Linux desktop!

      It also says it only applies to Android and iOS on mobile - so year of Windows Pho...

      ... or not...

  8. imanidiot Silver badge
    Facepalm

    -->

    Just -->

  9. DropBear Silver badge
    Facepalm

    Oh dear...

    Look, I know Einstein said time can flow at different rates in different places, but to explain this kind of slowdown, there needs to be a supermassive black hole in the middle of that country (and a couple of other countries, come to think of it)...

  10. phuzz Silver badge
    Stop

    South Korea is already doing it.

    Chances are, there's a South Korean CA in your Windows box right now. They were added in 2012:

    http://social.technet.microsoft.com/wiki/contents/articles/9964.windows-root-certificate-program-members-april-2012.aspx

    I guess the news here is that Kazakhstan couldn't persuade Microsoft to include it in a windows update.

    *Edit, I just had a look and I can't find any national government CAs in the cert store on this Win10 machine. There is an AOL code signing cert though, so now I feel really safe.

    1. Mr. Flibble

      Re: South Korea is already doing it.

      To be fair to them, the current CA (valid from 2014 to 2017) is only for "*.gvpn.go.kr"

  11. Norm DePlume

    And, of course, I'm sure Kazakhstan has the technical resources to prevent attacks on its own systems compromising those certs and leading to anyone being able to decode anything sent in the country.

  12. SMabille

    Manual install

    Looks more like they are the first country to ask their residents to manually install the "trusted" certificate.

    TÜRKTRUST is still trusted by most browsers/os (ios 9 for example), even if they have been caught red-handed producing "by mistake" (coincidently during strong protest period) *.google.com certificate via EGO.GOV.TR certificate.

    When we know the unlimited love for freedom and privacy displayed by the Erdogan government, the mistake looks very opportunistic (and only detected thanks to Google certificate transparency project), I'm curious how many others erroneous certificate are lying around Turkey.

  13. x 7

    Presumably Microsoft's security scanners could be updated to nuke this?

    1. Anonymous Coward
      Anonymous Coward

      Could of course.

      Microsoft's "security" scanners could be updated to nuke this.

      etc.

      Will?

      Purely a matter of politics & corporate expediency.

      (∴ no)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019