Originally published in 2015
Government eyes on encrypted info
“Once users install the certificate, its issuer—-the state-owned Internet service provider-—will have access to all their HTTPS-encrypted Internet traffic. From that vantage point, the government can read users’ requests, log them, and even edit the outgoing and incoming data—all without the users’ knowledge,” reported Defense One.
Cybersecurity experts say the plan, starting January 1, would do more than allow surveillance of citizens and censorship of information. It could also compromise safety for the people and the government.
“Kazakhstan’s new encryption law will run the risk of eliminating secure communication for an entire country and could drive up the cost of reliable surveillance and security,” said Daniel Lance, with Archer Security Group.
The plan could open up multiple ways for attackers to view encrypted data and inflict damage.
“The first issue they will have is verifying the client,” said Lance. “That means, how do they know I truly am who I say I am in the first place? This has long been a issue for certificate authorities.”
Lance said once attackers get in, they will not spare heads of state.
“Mark my words, it will happen,” said Lance. “If you open up the attack surface to the client, it becomes easy for political leaders to have their phone OS [operating system] broken into and keys stolen. Keys are only as secure as the barriers to entry on the container storing them.”
Attackers might try to take the certificate authority hostage, Lance added.
“Hacker groups like Anonymous could issue very unsophisticated attacks with modified versions of the DOSing architecture they’ve used in the past when they’ve opposed political issues,” he said.