Proton
An illustration of Kazakhstan government surveillance

Aug. 7, 2019 update: The government has reversed its surveillance strategy, claiming the whole program was a “test” that is now complete, according to Reuters(nouvelle fenêtre). If you installed a government root certificate on your device, you may now uninstall it without consequence. We have provided instructions in this article below for how to do so safely on Mac, Windows, Android, and iOS.

Governments around the world have fought against encryption, but Kazakhstan’s aggressive mass surveillance policy sets an alarming new precedent that may spread to other countries. We’re taking a look at how the recent online surveillance measures have affected Kazakhs, how to stay safe there, and how to defend your data from government spying anywhere.

On July 17, the government of Kazakhstan began coercing its citizens to install a root certificate on their devices that would allow the authorities to monitor everything they do online. The surveillance affects anyone trying to access certain websites, including Gmail, Facebook, Twitter, and YouTube. Once the certificate is installed, the government could access emails, read private messages, log browsing activity, and store login credentials.

The government calls these “security certificates” and insists installation is voluntary. “The introduction of a security certificate will help in the protection of information systems and data,” the Ministry of Digital Development said in an announcement to Kazakh Internet service providers(nouvelle fenêtre) (ISPs). But in reality, installing a fake root certificate only places personal data in jeopardy by exposing it to third parties.

Of course, few believe security is the government’s objective. In Kazakhstan, elections are few and unfair(nouvelle fenêtre), and surveillance and state censorship are common(nouvelle fenêtre). In fact, Proton Mail is one of the many online services, social media, and news portals that are blocked by the regime.

Back in 2015, the Kazakh government first tried to implement the root certificate attack but gave up under pressure from companies. We hope they fail a second time. In the meantime, Proton Mail will continue to provide technological tools to defeat censorship and protect individuals’ right to privacy. Read below for instructions to remove the Kazakh root certificate if you installed it, how to access VPN and Tor, and how to send secure emails no matter where you are.

Kazakhstan’s man-in-the-middle attack

When you access a website and establish a secure connection, your device knows it can trust the site’s server because of its certificate. These are typically issued by a trusted certificate authority and can’t be manipulated. In a man-in-the-middle attack, a third party inserts itself between the website’s server and the user’s device. They then decrypt, read, re-encrypt, and pass along the victim’s data to the real server without anyone knowing the attack took place. 

This is exactly what the Kazakh government is doing, except they’re doing it by coercion. When users install the government’s root certificate on their browsers, it tells the browsers to trust government-issued TLS certificates. The government can then decrypt users’ HTTPS traffic. Users will still see the green lock in their browser’s URL bar, falsely indicating that their traffic is safely encrypted. This is a government-sanctioned man-in-the-middle attack. 

The attack, first described(nouvelle fenêtre) by researchers at Censored Planet, affects users trying to reach some of the most popular websites in the world, including several Google and Facebook services. Those who try to access the Internet without the government-issued root certificate are being redirected to landing pages(nouvelle fenêtre) with instructions on how to install it.

“This list of domains suggests that the actual intention is instead to surveil users on social networking and communication sites,” Censored Planet said in its report.

Why Kazakhstan’s mass surveillance is particularly bad

HTTPS is a bedrock of what makes the Internet functional. When you log in to your bank account or buy something online, your credentials and credit card number are safe because of HTTPS. And trusted certificates are the bedrock of HTTPS. If we can’t trust certificates, then we can’t trust the Internet. 

In the past, certificate authorities have been accused of(nouvelle fenêtre), or have admitted to(nouvelle fenêtre), selling fake root certificates to private entities for surveillance. It is conceivable that a certificate authority could be compelled or persuaded to sell one to a government. And there are plenty of governments that would be interested.

Just recently, the Chinese government made foreigners visiting the Xinjiang region install a malware app(nouvelle fenêtre) on their smartphone. The app, named BXAQ(nouvelle fenêtre), collects all the calendar entries, contacts, call logs, and text messages stored on the phone and sends them to a government server. It even searches the device for specific files, like documents referring to the Dalai Lama or songs about Taiwan’s independence. If the malware detects these files, it notifies the Chinese authorities. 

The US and Australia have also sought to weaken encryption, to the extent that has been possible under a democracy. Australia’s anti-encryption law(nouvelle fenêtre) lets the government force companies to infect their customers’ devices with malware designed to crack open private communications. And in the United States, Attorney General William Barr recently demanded(nouvelle fenêtre) companies create an encryption backdoor(nouvelle fenêtre). So far, however, there have been no concerted efforts to do so.

There is no such thing as a back door (or in this case, online surveillance tool) that can only be used by the good guys. The Shadow Brokers hack and the resulting WannaCry attack(nouvelle fenêtre) show what can happen when hackers get their hands on such tools. By forcing all Kazakh citizens to use the same certificate, the government is introducing a significant vulnerability. If hackers were able to get control of the certificate, they would have the same access to personal data as the government.

How to protect your data if you are in Kazakhstan

Once you install a compromised root certificate on your device, there is very little you can do to protect your data. Large organizations including Google, Microsoft, and Mozilla are debating whether they should block Kazakhstan’s malicious certificate(nouvelle fenêtre), but so far they have not taken action.

The good news is that prevention is possible. Kazakh citizens should not install the root certificate. The government has said the certificate is not mandatory, no matter how persistently the ISPs push their users to download it. Any Kazakh citizen that has already installed the certificate should remove it from their device. 

Below we have instructions that explain how to remove the Kazakhstan government certificate from Android, iOS, macOS, and Windows devices.

Note: Be careful. Removing root certificates can cause serious issues for your device. You should back up your data before doing so. Only remove the Qaznet Trust Network root certificate.

Mac

  1. Open Utilities (Shortcut: Shift + Command + U) 
  2. Double-click on KeyChain Access, select System Roots
  3. Find the Qaznet Trust Network root certificate and double-click on it. In the window that pops up, under “Trust,” select “When using this certificate” and choose “never trust.”

Windows

  1. Open the Microsoft Management Console by pressing Windows button + R and typing “MMC
  2. Click File, then Add/Remove Snap-In
  3. Click Certificates, then Add
  4. Click Computer Account, then select Local Computer. Click OK.
  5. Click the arrow next to Certificates (Local Computer) to show all certificates (if nothing is listed, your device does not have the certificate)
  6. Select the arrow beside the Qaznet Trust Network root certificate
  7. Now click the Certificates folder
  8. Find the Qaznet Trust Network certificate, right-click it, and select Properties
  9. Select Disable all purposes for this certificate, then click Apply
  10. Restart your device

Android

  1. Go to Settings
  2. Tap Security
  3. Tap Trusted Credentials
  4. Find the Qaznet Trust Network root certificate
  5. Slide the toggle switch over so that the certificate is disabled

iOS

  1. Go to Settings, then tap General
  2. Tap Profile (if there are no profiles, your device does not have the certificate)
  3. Select the Qaznet Trust Network Profile
  4. Tap Delete
  5. Enter your iOS passcode to confirm

How to prevent Internet censorship and surveillance

For those in Kazakhstan or anywhere subject to Internet censorship and surveillance, there are a few techniques you can use to try to bypass blocks and protect your data.

Use a VPN service like Proton VPN

A virtual private network (VPN) works by encrypting your Internet traffic between your device and the VPN server, which can be located in another country. Proton Mail provides a free VPN(nouvelle fenêtre) service that also shields DNS requests(nouvelle fenêtre). In this way, the government cannot block websites at the ISP or DNS level. Unfortunately, the VPN servers themselves can be blocked. If that happens, there are other options.

Use different DNS servers

The Domain Name System allows you to enter a domain like proton.me and reach a Proton Mail server. Governments can censor websites by blocking them on local DNS servers. If this happens, you can try using free alternative DNS servers(nouvelle fenêtre). Using any of those should allow the DNS block to be bypassed. Guides for setting a custom DNS for your operating system can be found below:

Windows(nouvelle fenêtre)   ||   MacOS(nouvelle fenêtre)   ||   Android(nouvelle fenêtre)   ||   iOS(nouvelle fenêtre)   ||   Linux(nouvelle fenêtre)

The Tor network

Tor(nouvelle fenêtre) is another tool that encrypts your Internet traffic, helps overcome censorship, and makes you harder to spy on. When connected to Tor using the Tor browser(nouvelle fenêtre) or Tails(nouvelle fenêtre), your Internet traffic bounces through a series of random servers around the world, concealing your original IP address and making you extremely hard to track. 

Service providers can also provide Tor hidden services(nouvelle fenêtre) that are harder to block. Proton Mail offers a Tor hidden service at protonirockerxow.onion. If Proton Mail is blocked, you can try accessing our onion site while connected to the Tor network. Proton VPN also offers one-click Tor over VPN(nouvelle fenêtre) access.

How to send encrypted email

End-to-end encryption(nouvelle fenêtre) is the best way to ensure no one but you and your recipient can read your emails. Proton Mail makes this simple by automatically encrypting and decrypting messages between Proton Mail users on their devices. This ensures that even if an attacker or government intercepts the message, they cannot decrypt it. Follow the link to create a free encrypted email account.

Privacy is crucial to the healthy functioning of any democracy. The ability to share ideas and form opinions away from prying eyes is critical to free discourse, which is why authoritarian governments are always so eager to expand the surveillance state. As more and more of society has transitioned online, these autocratic governments are now trying to break encryption so that they can monitor everything there as well. We remain committed to our mission of creating a more private and secure Internet. Thank you for supporting our movement.

Best Regards,
The Proton Mail Team

Articles similaires

The cover image for a Proton Pass blog comparing SAML and OAuth as protocols for business protection
en
SAML and OAuth help your workers access your network securely, but what's the difference? Here's what you need to know.
Proton Lifetime Fundraiser 7th edition
en
Learn how to join our 2024 Lifetime Account Charity Fundraiser, your chance to win our most exclusive plan and fight for a better internet.
The cover image for a Proton Pass blog about zero trust security showing a dial marked 'zero trust' turned all the way to the right
en
Cybersecurity for businesses is harder than ever: find out how zero trust security can prevent data breaches within your business.
How to protect your inbox from an email extractor
en
Learn how an email extractor works, why your email address is valuable, how to protect your inbox, and what to do if your email address is exposed.
How to whitelist an email address and keep important messages in your inbox
en
Find out what email whitelisting is, why it’s useful, how to whitelist email addresses on different platforms, and how Proton Mail can help.
The cover image for Proton blog about cyberthreats businesses will face in 2025, showing a webpage, a mask, and an error message hanging on a fishing hook
en
Thousands of businesses of all sizes were impacted by cybercrime in 2024. Here are the top cybersecurity threats we expect companies to face in 2025—and how Proton Pass can protect your business.