How to stop the Kazakhstan government from intercepting your internet traffic

2 min read

Hi, I'm Lexie! I write about information security, Bitcoin, and privacy.

The Kazakhstan flag, except with a padlock where the sun should be.

Update: The Kazakh government has halted its CA plans for now. If you previously installed the certificate, make sure it has been thoroughly removed from your system, and let us know if you encounter difficulties in the future.

As of this month, internet users in Kazakhstan have been seeing notices to download a government “certificate” to their computers when trying to access HTTPS-encrypted websites.

This certificate, also called a CA because it’s issued by a certificate authority, allows the government to man-in-the-middle attack your connection and read all information that passes through it, including passwords, personal messages, and credit card information. It would also allow the government to alter the contents of any sites, including any cryptographic keys, bitcoin addresses, or private secrets.

However, such an attack is easily discovered by your browser, and you will see a “site not secure” warning. To get rid of this warning, Kazakhstan has been forcing its ISPs to prompt users to download and manually install the government’s CA.

This CA, once installed, will trick the browser into thinking the “fake” certificate presented by the “fake” site is legitimate. The green lock will even appear in your browser window.

A screenshot of the Kazakhstan government CA.

How to stay private if you’re in Kazakhstan

  1. Do not install the government’s CA
  2. Use a VPN to connect to the internet

A VPN will disguise your physical location, so you will not be prompted to install the CA certificate. ExpressVPN’s Kazakhstan location is safe (and recommended if you want to obtain a Kazakh IP), as the server is not physically located in Kazakhstan.

If you have already installed the certificate, follow the steps below to remove it.

How to remove the Kazakhstan government CA certificate

  1. Use spotlight to open Keychain Access
  2. In the sidebar click on System Roots
  3. In the search bar at the top-right, enter < name of CA >
  4. Right-click on the entry and select Delete < ca-name-here >
  5. Enter your password to confirm
  6. Confirm the deletion in the subsequent dialog
  1. Press the Windows or Start button, then type MMC
  2. Allow the app to make changes
  3. Click File, then Add/Remove Snap-In
  4. Click Certificates, then Add
  5. Select Computer Account, then Local Computer
  6. Click the arrow next to Certificates (Local Computer) to show all certificates (if nothing is listed, your device does not have the certificate)
  7. Select the arrow beside the government root certificate
  8. Now click the Certificates folder
  9. Find the government certificate, right-click it and select Properties
  10. Select Disable all purposes for this certificate, then click Apply
  11. Restart your machine
  1. Go to Settings, then Security
  2. Tap Trusted Credentials
  3. Find the government root certificate
  4. Tap Disable
  1. Go to Settings, then General
  2. Select Profile (if there are no profiles, your device does not have the certificate)
  3. Select the government Profile
  4. Tap Delete
  5. Enter your password to confirm
Lexie is the blog's resident tech expert and gets excited about empowerment through technology, space travel, and pancakes with blueberries.