Kazakhstan To 'Superfish' Its Citizens; OS And Browser Vendors Could Stop It

The Kazakhtelecom JSC, the largest telecommunications company in Kazakhstan, announced that the government will require all citizens to install a “national security certificate” starting January 1, 2016. Kakakhstan citizens will have to go to www.telecom.kz to receive a prompt on how to install that certificate on Windows, Mac OS, Android and iOS.

Country-Wide "Superfish"

This would essentially mean that the government is trying to “Superfish” all of its citizens by giving itself the capability to decrypt all HTTPS traffic. The government will be able to see not just all encrypted traffic, but it will also be able to censor certain pages of content. Before HTTPS started being used by default by sites like Wikipedia, some governments would block those pages from being accessed.

Once Wikipedia and other sites moved to HTTPS, the governments had to choose whether to completely block them, or not, as it became an all or nothing proposition. Most often, at least for popular websites, they would decide not to do it, as too many people relied on them for all sorts of content.

Not using HTTPS also meant governments would see what type of content people were reading, whether in aggregate to see certain trends, or individually if they targeted anyone. With HTTPS that’s not possible anymore.

That’s why Kazakhstan, which presumably wants to maintain its censorship and surveillance powers, is now demanding all citizens to install its certificate. The “national security” reason is invoked, because that seems to make people more willing to accept it, even if the vast majority of uses of the certificate won’t be for national security purposes (or at least what is commonly regarded as actual national security, as the Kazakhstan government could interpret it however it wants, ultimately).

Security Risk

The problem even with this security argument is that it may in fact make Kazakhstan citizens less secure, not just against their own government, but against other criminals as well. We’ve learned earlier this year, with Lenovo’s Superfish and more recently with Dell’s own root certificate, that these certificates can pose a great security risk for computer users.

If hackers get ahold of the private key of that root certificate (and we can probably assume the Kazakhstan government doesn’t have world renown security in place to protect that private key), they could also use it to decrypt anyone’s communications.

It’s also going to be a very slow process to update those certificates if the government does find out its private key has been stolen. Unlike with Lenovo and Dell, which could either update the laptops themselves or rely on Microsoft to do it for them and remove those bad certificates, it could take years before most Kazakhstan citizens install the new certificate again.

How To Stop It

There are only two ways for Kazakhstan citizens to stop this now. One would be to protest against the move. The other is to ask technology companies to take measures against it by refusing to use that certificate for their services or apps.

Service providers could pin only certain certificates they can trust and not allow their sites to work with any other certificate. Browser vendors could also ban those certificates from being supported in their browsers, as they’ve already done with China’s root Certificate Authority.

Finally, the platform vendors (which are also the major browser vendors), such as Microsoft, Google and Apple, could update their operating systems to remove that certificate from their operating systems’ root stores.

They could even release future versions of their operating systems that would disallow any other root certificate than the default ones. This could annoy some power users who want to be able to test/install their own certificates, but in the vast majority of cases, consumers never try to install a root certificate themselves.

Microsoft, for instance, could still allow enterprise, or even Pro versions of Windows to install certificates. This would still protect most people against such abuses, whether from certain manufacturers’ bad certificates, or from more oppressive nation states.

Update, 12/3/15, 12:01am PT: The Tor Project announced that its website was blocked in Kazakhstan, but it provided a mirror link where people can download the Tor browser.


Lucian Armasu joined Tom’s Hardware in early 2014. He writes news stories on mobile, chipsets, security, privacy, and anything else that might be of interest to him from the technology world. Outside of Tom’s Hardware, he dreams of becoming an entrepreneur.

You can follow him at @lucian_armasu. Follow us on Facebook, Google+, RSS, Twitter and YouTube.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Larry Litmanen
    Will this be used for political reasons? Sure it will but this is the result of US policies and to somewhat lesser extent Islamism.

    Kazakhstan has terror issues, it is surrounded by countries that have serious Islamic insurgency so monitoring internet will be a huge blow to them as it is impossible to communicate in the modern world without it.

    Now as far as US policies, Ukraine had a legit President taken down by US financed opposition, well now Russia will make sure there will be no opposition. A tit for tat.
  • Chazgw
    Using Superfish is like letting a monkey drive a plane! We stopped that in Kazakhstan 3 years ago.
  • yasha
    Kazakhstan has terror issues, it is surrounded by countries that have serious Islamic insurgency

    What terror issues? Which of the countries surrounding Kazakhstan has serious Islamic insurgency?

    What you are talking about is nonsense.
  • Markor
    "They could even release future versions of their operating systems that would disallow any other root certificate than the default ones."

    In that case such OS would be banned from use or distribution by most of the countries on Earth.
    We are closing to the day when nations of the world would tell US-spying OSes to fuck off with limiting user choosing of software, solutions and places to put their private data unsniffed by CIA and NSA.
    Messing up with certificates (that are messy top-to-bottom thing anyway) could act badly to business customers and companies use.

    Actually US companies and other users of US-issued certificates in the world are already spied upon because NSA has their root certificates and since data in the cloud is not encrypted for the US government and US companies (reads Microsoft vs US courts) are forced to give user data from all over the world to US courts and agencies, this event is just duplicating such policy but in open and legal way..

    What if rest of the world starts blocking all US-issued certificates, on premise that by coming from US, they are made and used to spy upon every user? (and that is no secret, especially after Windows 10).
    Is is as always, internal issue of that country and they should solve it in their own way, explaining why it is techically wrong and against development and rights of an individuals and local companies could suffer with position on the world maket as weel as country's reputation.

    But short-sigted "solutions" provided in this text article, reflect general twisted view of US and western foreign policy with no real democracy in sight:
    To put countries, companies, individuals , wistleblowers (Snowden,Assange) and whole Nations under sanctions, control, stress, torture, bombing and military killings. It is just one thing that "western" "democracies" and their citizens lost during previous years:
    The right to tell anyone else what to do, because of their inner imorallity and double-faced politics, that reflects on human to human communication around the Earth.