Kazakhstan's HTTPS interception efforts target Facebook, Google, Twitter, others

Researchers: HTTPS interceptions happening on one ISP for the moment, target communications services, follow erratic pattern.

Facebook Instagram Twitter apps

he Kazakhstan government has recently began enforcing a technical measure that allows it to intercept HTTPS traffic originating from within the country.

Starting around July 17, local internet service providers have begun blocking access to the internet and forcing their customers to install a root certificate into their desktop and mobile browsers.

The root certificate, issued in the name of the Kazakh government, allows its owner to decrypt HTTPS traffic, take a look at its content, re-encrypt and then forward the connection to its destination.

Kazakh government actively intercepting at least 37 domains

Details have been scarce for the first few days after HTTPS interceptions began happpening; however, new research published by Censored Planet this week is providing a more in-depth look at what's happening inside the Asian country.

Per the organization, the "HTTPS interception" is currently triggering for only 37 domains, all social media and communications websites, such as for Facebook, Google, Twitter, Instagram, YouTube, and VK domains, along with a few smaller sites.

The full list of intercepted sites is available below (grouped by service, not alphabetically):

android.com
messages.android.com
------------------------------------
goo.gl
google.com
www.google.com
allo.google.com,
dns.google.com
docs.google.com
encrypted.google.com
mail.google.com
news.google.com
picasa.google.com
plus.google.com
sites.google.com
translate.google.com
video.google.com
groups.google.com
hangouts.google.com
------------------------------------
youtube.com
www.youtube.com
------------------------------------
facebook.com
www.facebook.com
messenger.com
www.messenger.com
------------------------------------
instagram.com
www.instagram.com
cdninstagram.com
------------------------------------
twitter.com
------------------------------------
vk.com
vk.me
vkuseraudio.net
vkuservideo.net
------------------------------------
mail.ru
ok.ru
rukoeb.com
sosalkino.tv
tamtam.chat

Still under testing

According to Censored Planet, not all local ISPs appear to be currently participating in the HTTPS interceptions.

Despite evidence that several Kazakh ISPs have been forcing users to install the government's root certificate, Censored Planet found that only Kazakhtelecom (AS 9198 KazTelecom) was actively intercepting HTTPS connections.

Furthermore, the HTTPS interceptions don't happen all the time, and appear to go on and off without a clear pattern.

"This indicates that the interception system is still being tested or tuned, perhaps as a precursor to wider deployment," Censored Planet researchers said.

The Censored Planet team, which also includes academics from the University of Michigan and the University of Colorado, Boulder, have published details on how other researchers can study the phenomenon from outside the country, and track the Kazakh government's snooping efforts.

This is the second time when Kazakh officials try to push an HTTPS interception measure, after trying it for the first time in December 2015. They failed the first time because the local government was sued by several organizations, including ISPs, banks, and foreign governments, who feared this would weaken the security of all internet traffic (and adjacent business) originating from the country.

When Kazakh officials announced this measure a second time earlier this month, they said it was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats."

Related cybersecurity coverage: