Government has self-signed root certificate that can intercept, decrypt and read HTTPS-encrypted traffic

Root Certificate HTTPS
HTTPS secure data can be intercepted, decrypted, and read? Pic credit: Pete Linforth/Pixabay

Google, Mozilla, Apple, and Microsoft, the most influential tech giants, have united to put an end to a rather disturbing capability. Apparently, Kazakhstan’s government has developed a “Root Certificate” that can intercept, decrypt, and read HTTPS-encrypted traffic.

All the major web browser makers have united to stop the use of a powerful tool. The tool, in the form of a Root Certificate, potentially gives Governments the ability to spy on their citizens despite default internet safety and security measures.

HTTPS traffic intercepted, decrypted, and read by a Root Certificate capability:

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer. Essentially, any internet user visiting any website with HTTPS instead of the archaic HTTP suffix is protected.

However, Kazakhstan’s government has developed or gained access to a powerful Root Certificate. It essentially allows the government’s chosen IT department to decrypt and read HTTPS-encrypted traffic sent between its citizens and overseas social media sites.

The government has claimed it was using the certificate to conduct a cybersecurity training exercise. However, the explanation does not make any sense. Certificates cannot prevent any cyber-attacks.

In fact, Root Certificates exist to encrypt and safeguard traffic from third-party observers. Their purpose is to obscure information by encoding the same. The HTTPS protocol evolved to address the potential exploitation of information during transit between the website and the user.

As the HTTP protocol didn’t have encryption, it was easy to eavesdrop. Hence websites around the world have rapidly adopted the HTTPS protocol. Needless to add, websites of Google, Facebook, Twitter, Instagram, Netflix, and millions more have the HTTPS suffix.

Top web companies oppose the Kazakhstan government’s actions:

thread on Mozilla’s bug-reporting site first spotted and reported about the method earlier this month. The Censored Planet website later reported that the certificate worked against dozens of Web services that mostly belonged to Google, Facebook, and Twitter.

What this essentially means Kazakhstan can potentially monitor and record the data of any citizen using the Root Certificate. Websites could encrypt the information, but the government had access to the decryption tools.

It is not clear how Kazakhstan’s government got hold of such a certificate. However, the self-signed certificate caused traffic sent to and from select websites to be encrypted with a key controlled by the government.

Under industry standards, HTTPS keys are supposed to be private and under the control only of the site operator. But, instead of sending traffic that could only be decrypted by the website and the individual end-user, the Kazakhstan government could also use it to decrypt the data in transit.

It is important to note that Kazakhstan’s government may have used coercion techniques to install the Root Certificate on the citizens’ computers. The certificate is currently installed on computers that operate in Kazakhstan’s capital city of Nur-Sultan. Citizens residing in the capital city were unable to access several foreign websites if they do not have the certificate installed on their devices.

The top browser companies, which include Apple, Google, Microsoft, and Mozilla, have now blocked the certificate in their respective software. However, the mere ability to intercept and decrypt HTTPS traffic is surely concerning.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x