How to stop the Kazakhstan government from intercepting your internet traffic

Digital freedom
2 mins
The Kazakhstan flag, except with a padlock where the sun should be.

In mid 2019, internet users in Kazakhstan were issued with notices when they visited any HTTPS-encrypted websites, that warned them to install a mandatory government “certificate.” This certificate, also called a CA because it’s issued by a certificate authority, allowed the government to perform man-in-the-middle attacks on citizens to read all their internet traffic, including passwords, personal messages, and credit card information. It also allowed the government to alter the contents of any sites, including any cryptographic keys, Bitcoin addresses, and private communications.

However, such an attack would have been easily discovered by most browsers, as a “site not secure” warning would be displayed next to the address bar. To circumvent this, Kazakhstan has forced its ISPs to prompt users to download and manually install the government’s CA. Once installed, browsers would be tricked into thinking the “fake” certificate presented by the “fake” site would be legitimate. The green lock would even appear in the browser window.

Despite the Kazakh government’s announcement in 2019 that it would not move forward with this measure, the decision was later rescinded in December 2020.

How to remove harmful CA certificates

Mac

  1. Use spotlight to open Keychain Access
  2. In the sidebar click on System Roots
  3. In the search bar at the top-right, enter < name of CA >
  4. Right-click on the entry and select Delete < ca-name-here >
  5. Enter your password to confirm
  6. Confirm the deletion in the subsequent dialog

Windows

  1. Press the Windows or Start button, then type MMC
  2. Allow the app to make changes
  3. Click File, then Add/Remove Snap-In
  4. Click Certificates, then Add
  5. Select Computer Account, then Local Computer
  6. Click the arrow next to Certificates (Local Computer) to show all certificates (if nothing is listed, your device does not have the certificate)
  7. Select the arrow beside the government root certificate
  8. Now click the Certificates folder
  9. Find the government certificate, right-click it and select Properties
  10. Select Disable all purposes for this certificate, then click Apply
  11. Restart your machine

Android

  1. Go to Settings, then Security
  2. Tap Trusted Credentials
  3. Find the government root certificate
  4. Tap Disable

iOS

  1. Go to Settings, then General
  2. Select Profile (if there are no profiles, your device does not have the certificate)
  3. Select the government Profile
  4. Tap Delete
  5. Enter your password to confirm

How to stay private if you’re in Kazakhstan

  1. Do not install the government’s CA
  2. Use a VPN to connect to the internet

A VPN will disguise your physical location, so you will not be prompted to install the CA certificate. ExpressVPN’s Kazakhstan location is safe (and recommended if you want to obtain a Kazakh IP), as the server is not physically located in Kazakhstan.

Johnny 5 is the founding editor of the blog and writes about pressing technology issues. From important cat privacy stories to governments and corporations that overstep their boundaries, Johnny covers it all.