What happened with Kazakhstan's Root CA MITM policy?

(edit) A third round...

The Kazakh government made a third attempt at intercepting SSL traffic in December 2020. Again the primary target domains were large foreign tech sites such as Google, Twitter, Facebook, Instagram, and Netflix. Many citizens were notified by ISPs via SMS of the demand to install a new root certificate and traffic to some sites was blocked beginning December 6th unless routed though the man-in-the-middle attacked government endpoint.

Officials gave the excuse that during the COVID-19 pandemic cyberattacks targetting "Kazakhstan's segment of the internet" grew 2.7×. On December 7th browser manufactures again announced they would blacklist such certificates.

(edit) Update...

The state sponsored MITM attack described in the answer below was dropped on August 7th, 2019 (approximately 3 weeks after being started). During that time several hundred sites, largely email, communication, and social media sites were intercepted. The government of Kazakhstan officially stated that their "test was completed" and "was a success" and noted that citizens could uninstall the offending root certificate.

As of later August major browser vendors including Mozilla's Firefox, Google's Chrome, and Apple's Safari all added the certificate to a hard coded internal black list so that it would not function even in the event some people leave it "installed" on their local machines.

Original Answer...

As the previous answer suggests, the 2015/2016 attempt at this stunt got so much backlash they basically backed away from it and it sat for a while. The original January 1st 2016 deadline came and went with no real enforcement. Their request that Mozilla trusts their root certificate was declined. The MITM attempts still cropped up in individual cases of sites put under surveillance, but nothing widespread.

Until July 2019! Apparently, they never let go of the idea itself, the project was resurrected, and in the last few days enforcing started en masse through many ISPs (first implementation seen on July 17th, 2019). See this Mozilla bug report for technical details, Hacker News for discussion, or this ZDNet article for the news take.

Here is KCELL's (a major telecom company in KZ) information page in English that is a sample of what locals are being prompted to do when trying to access sites that have been MITM'ed.

Pursuant to the Law of the Republic of Kazakhstan On Communications and clause 11 of Rules for Issuing and Applying Security Certificates, Kcell JSC informs its customers of the need to install Security Certificate on devices capable of connecting to the Internet. According to law, telecom network operators are to ensure that customers with whom the operators have service contracts are able to install the security certificate on their mobile devices.

We draw your attention to the fact that installation of the security certificate must be done on each device that will be used to access the Internet (iOS/Android mobile phones and tablets, Windows/MacOS personal computers and laptops).

Customers failing to install Security Certificate on their mobile devices may face technical limitations when accessing certain websites.

Is spite of reports that it would be mandated first only in the capital (Nur-Sultan, formerly Astana) the enforcement seems to be rolling out on a per ISP basis, and has started impacting other cities as well. Bulk SMS messages have gone out (mostly to Nur-Sultan area subscribers) with instructions on how to add the government root cert to many cell phone OSes.

The certificate they are demanding everybody install is identified as Qaznet Trust and distributed through qca.kz. While the demand that all HTTPS traffic be intercepted is a governmental one and the root CA certificate in question is a Kazakhstan government-controlled one, it should be noted that the actual interception is being implemented by ISPs. Technical details of this are still not clear, but this likely means that each and every government authorized ISP will be able to intercept data from all website traffic.

Tags:

Certificate Authority

Man In The Middle

Certificates

Tls

Related

Is it common to allow local desktop and/or active directory admin access and rights for developers in organizations? Should I encrypt my entire hard drive, or only a partition? Microsoft said UAC is not a security barrier. But in what cases? Recent ESLint hack or how can we protect ourselves from installing malicious npm packages? Why can a man-in-the-middle attack not happen with RSA? Sealed Room Security - Possibility of writing assembled binary code What legitimate uses do browser proxies have? I feel like it's impossible to learn reverse engineering How to check if a Wi-Fi network is safe to connect to? Is it safe to store APK signing passwords in private git repository? How to verify the checksum of a downloaded file (pgp, sha, etc.)? Is a redirect showing the password in plain text a security vulnerability?

Recent Posts