Apple, Google, Microsoft, and Mozilla ban Kazakhstan's MitM HTTPS certificate

This marks the second time browsers makers had to intervene and block a certificate used by the Kazakhstan government to spy on its citizens.

Web browser closeup on LCD screen with shallow focus on https padlock

Web browser closeup on LCD screen with shallow focus with light shining through https padlock. Internet security, SSL certificate, cybersecurity, search engine and web browser concepts

Getty Images/iStockphoto

Browser makers Apple, Google, Microsoft, and Mozilla, have banned today a root certificate that was being used by the Kazakhstan government to intercept and decrypt HTTPS traffic for residents in the country's capital, the city of Nur-Sultan (formerly Astana).

ZDNet Recommends

The best antivirus software and apps

A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses.

Read More

The certificate had been in use since December 6, 2020, when Kazakh officials forced local internet service providers to block Nur-Sultan residents from accessing foreign sites unless they had a specific digital certificate issued by the government installed on their devices.

While users were able to access most foreign-hosted sites, access was blocked to sites like Google, Twitter, YouTube, Facebook, Instagram, and Netflix, unless they had the certificate installed.

Kazakh officials justified their actions claiming they were carrying out a cybersecurity training exercise for government agencies, telecoms, and private companies.

Officials cited that cyberattacks targeting "Kazakhstan's segment of the internet" grew 2.7 times during the current COVID-19 pandemic as the primary reason for launching the exercise.

The government's explanation did, however, make zero technical sense, as certificates can't prevent mass cyber-attacks and are usually used only for encrypting and safeguarding traffic from third-party observers.

After today's ban, even if users have the certificate installed, browsers like Chrome, Edge, Mozilla, and Safari, will refuse to use them, preventing Kazakh officials from intercepting user data.

Today's ban also marks the second time the four browser makers banned a certificate issued by the Kazakh government for man-in-the-middle (MitM) attacks. They blocked a first one in August 2019, a certificate that was used to intercept traffic for various Russian and English-speaking social media sites.