In mid 2019, internet users in Kazakhstan were issued with notices when they visited any HTTPS-encrypted websites, that warned them to install a mandatory government “certificate.” This certificate, also called a CA because it’s issued by a certificate authority, allowed the government to perform man-in-the-middle attacks on citizens to read all their internet traffic, including passwords, personal messages, and credit card information. It also allowed the government to alter the contents of any sites, including any cryptographic keys, Bitcoin addresses, and private communications.
However, such an attack would have been easily discovered by most browsers, as a “site not secure” warning would be displayed next to the address bar. To circumvent this, Kazakhstan has forced its ISPs to prompt users to download and manually install the government’s CA. Once installed, browsers would be tricked into thinking the “fake” certificate presented by the “fake” site would be legitimate. The green lock would even appear in the browser window.
Despite the Kazakh government’s announcement in 2019 that it would not move forward with this measure, the decision was later rescinded in December 2020.
How to remove harmful CA certificates
Mac
- Use spotlight to open Keychain Access
- In the sidebar click on System Roots
- In the search bar at the top-right, enter < name of CA >
- Right-click on the entry and select Delete < ca-name-here >
- Enter your password to confirm
- Confirm the deletion in the subsequent dialog
Windows
- Press the Windows or Start button, then type MMC
- Allow the app to make changes
- Click File, then Add/Remove Snap-In
- Click Certificates, then Add
- Select Computer Account, then Local Computer
- Click the arrow next to Certificates (Local Computer) to show all certificates (if nothing is listed, your device does not have the certificate)
- Select the arrow beside the government root certificate
- Now click the Certificates folder
- Find the government certificate, right-click it and select Properties
- Select Disable all purposes for this certificate, then click Apply
- Restart your machine
Android
- Go to Settings, then Security
- Tap Trusted Credentials
- Find the government root certificate
- Tap Disable
iOS
- Go to Settings, then General
- Select Profile (if there are no profiles, your device does not have the certificate)
- Select the government Profile
- Tap Delete
- Enter your password to confirm
How to stay private if you’re in Kazakhstan
- Do not install the government’s CA
- Use a VPN to connect to the internet
A VPN will disguise your physical location, so you will not be prompted to install the CA certificate. ExpressVPN’s Kazakhstan location is safe (and recommended if you want to obtain a Kazakh IP), as the server is not physically located in Kazakhstan.