Welp. Not good for people from Kazakhstan.
Local internet service providers (ISPs) have been instructed by the local government to force their respective users into installing a government-issued certificate on all devices, and in every browser.
The certificate, once installed, will allow local government agencies to decrypt users’ HTTPS traffic, look at its content, encrypt it again with their certificate, and send it to its destination.
That is terrible. But, I am surprised Kazakhstan is that capable. Didn’t realize they had such a robust cyber intelligence network.
I would imagine it’s actually as simple as forcing all ISPS to enforce this. All traffic to their servers is checked for the signature of the certificate. If it isn’t what they expect -> redirect to instructions website and which customer it was. To keep track of how many have done it. And how many haven’t.
Maybe they have silent help from more capable governments who are just using Kazakhstan as a practice run before doing the same in their own country. 
Well, they are close with Russia.
I mean, it’s really not that complex, what they’re doing. They’re just installing a proxy. I don’t know what sort of analytics, if any, they’re doing at the moment, but just because you’re proxying the data doesn’t mean you’re actually looking (yet)
This is obviously intelligence gathering as a prelude to alien invasion, and you’re just trying to throw this thread off the scent because you are clearly part of the cover up.
this is why we need to build our own internet w/o governments invited.
Unfortunately, it was the governments from the onset.
The tougher the border the more corrupt it will be. This applies to both Smuggling and IT infrastructure.
It is not surprising to see, since governments have been snooping HTTP since the start. The agressive move to HTTPS by Mozilla and Chrome is just making it impossible for BFUs; then governments and companies have to respond. Corporate environment did it years ago.
so what is the workaround? can we use a vpn? and come out where the traffic isn’t tracked? or do we need a whole new protocol that will prevent this?
The workaround is to not accept the CA, then the HTTPS certificates will be as trustworthy as they are in other countries. It is possible to accept the certificate in one browser and not the other.
If you end up without access, then you need to establish connection without HTTPS and authorize the server in a different way.
VPN does not solve the problem in just pushes the solution on the provider of the VPN. VPN is not a security tool it is a privacy tool. Meaning it is quite possible that connecting outside of Kazakhstan will still block all Kazakh webpages for you. But you might be able to authenticate global projects.
There could proxy projects to authenticate content for you.
EDIT: As for tracking - HTTPS does not prevent tracking you. It prevents snooping and spoofing. Something much worse than tracking.
Will this keep the government happy?
guess its back to the slow af high latency methods then
They MITM all traffic, you can’t accept HTTPS certificates that aren’t the countries CA as they never reach you.
The option is to accept their CA and view web https web pages, or be denied access.
A VPN in this case would likely be the solution considering their implementation of this attack as you can then connect outside the country via a method not using port 443 or TLS, then connect to www pages as normal.
would isp’s* like starlink and iridium be a possible method to also reach out? and not have to deal with this? other then requiring a dish which might be banned.
Yes, VPN is the only solution.
If an ISP serves customers in Kazakhstan, Kazakhstan is surely going to require that ISP to abide by its laws and if the ISP doesn’t then Kazakhstan will just apply their applicable penalty. Which would probably be “inconvenient” for any of the ISP’s local personnel or assets. Admittedly given the constellatory nature of Starlink’s infrastructure, that probably isn’t much.
But State law does outline the procedure for enforcement of foreign judgments. The largest two factors are did the foreign court validly assert jurisdiction and would enforcement of the foreign judgment violate some local public policy. The answers to which, in my opinion are, yes Kazakhstan can of course assert jurisdiction over a company doing business within its country, and probably not.
now i can see this as a power move of companies to not care about local standards because of the nature of orbital based internet.
i can see this highly debated in the future of when a country ends vertically because the infinite reach that is labeled now will quickly be brought into question
i dunno how this will play out or if it will be swept under the rug and forgotten