In accordance with the current in Kazakhstan since 2016 to the law "On Communications", many Kazakh providers, including ,
, и , from today systems for intercepting HTTPS traffic of clients with the replacement of the originally used certificate. Initially, the interception system was planned to be implemented in 2016, but this operation was constantly postponed and the law was already perceived as formal. Interception is carried out concerns about the safety of users and the desire to protect them from dangerous content.
To disable browser warnings about incorrect certificates being applied to users install on your systems“, which is used when broadcasting secure traffic to foreign sites (for example, the substitution of traffic to Facebook is already recorded).
When establishing a TLS connection, the real certificate of the target site is replaced by a new certificate generated on the fly, which will be marked as valid by the browser if the "national security certificate" was added by the user to the root certificate store, since the fake certificate is linked by a chain of trust to the "national security certificate" .
In fact, in Kazakhstan, the protection provided by the HTTPS protocol has been completely compromised, and all HTTPS requests from the standpoint of the ability to track and replace traffic by special services are not much different from HTTP. It is impossible to control abuse in such a scheme, including when the encryption keys associated with the “national security certificate” fall into other hands as a result of a leak.
Browser Developers add the root certificate used to intercept to the certificate revocation list (OneCRL), as recently Mozilla with DarkMatter certification authority certificates. But the meaning of such an operation is not entirely clear (in past discussions it was considered useless), since in the case of a “national security certificate”, this certificate is not initially covered by trust chains and browsers already display a warning without installing a certificate by the user. On the other hand, the lack of response from browser manufacturers may encourage the introduction of similar systems in other countries. As an option, it is also proposed to implement a new indicator for locally installed certificates caught in MITM attacks.
Source: opennet.ru