Will other countries follow Kazakhstan in forcing users to install certificates for HTTPS interception?

Experts from multiple digital forensics firms report that the Kazakhstan government has begun intercepting all HTTPS traffic detected within its territory.

Internet service providers companies operating in the country have already been warned by the government; from now on, they will have to force their respective customers to install certificates released by the Kazakh authorities on all their browsers and Internet-connected devices.

Digital forensics specialists say that once the user installs these web certificates, they will be granting the government access to their HTTPS traffic to read their content, encrypt it, and send it to an unknown location. For a few hours now, the inhabitants of Kazakhstan trying to access the Internet have been founding a message that redirects them to a website detailing the steps to follow to install these government-developed root certificates.

It seems that internet service providers have no choice but to force their customers to install these certificates, as this is an irrevocable decree of the Kazakh government.

Through its website, the Ministry for Digital Development, Innovation and the Aerospace Industry stated that this measure only applies to Internet users living in Nur-Sultan, the capital of Kazakhstan. However, digital forensics experts say that users from other regions have also been forced to install the certificate. Some users even claimed to have received a text message asking them to install these certificates, reported some local media.

With regard to this measure, some Kazakh government officials have mentioned that “the GOV intention is to improve the protection of our citizens, private companies and public institutions that use the Internet on a daily basis; anyone can be a victim of hackers, online scams or malware infections.”

This is not the first time Kazakhstan has tried to implement a similar measure. According to specialists from the International Institute of Cyber Security (IICS), the government’s first attempt to bulk install a certificate occurred in December 2015; the intention was that, as of January 2016, all Internet users in the country would have this certificate installed on their computers.