Hello,

Today, in collaboration with Eurasian Digital Foundation and Internet Freedom Kazakhstan (IFKZ), OONI co-published a *new research report documenting TLS MITM attacks and the blocking of news media, human rights, and circumvention tool sites in Kazakhstan*.

Read our report in: * *English*: https://ooni.org/post/2024-kazakhstan-report/ * *Russian*: https://ooni.org/ru/post/2024-kazakhstan-report/

Our report shares censorship findings based on the analysis of OONI data collected from Kazakhstan over the past year, as well as legal analysis and interviews with a few media representatives.

Our analysis of OONI data from Kazakhstan reveals: * *TLS Man-In-The-Middle (MITM) attacks* * *Blocking of at least 17 news media websites* * *Blocking of petition sites and of the Russian language edition of Amnesty International's website* * *Blocking of at least 73 circumvention tool websites*

The blocked news media websites include: * Many Russian news media websites (such as the Russian TV Channel Tsargrad, Sputnik and Pogrom, the 360 Russian satellite TV channel, and the Ferghana Information Agency); * A few Kyrgyz news media websites (Kloop and Centralasia.media); * One international news website (Vice News).

OONI data shows the targeted blocking of amnesty.org.ru, www.change.org, www.ipetitions.com, and egov.press. Meanwhile, Amnesty International’s English language website was accessible in Kazakhstan, as were many other international human rights websites (such as Human Rights Watch).

OONI data also shows the blocking of numerous censorship circumvention tool websites, including those of NordVPN, ExpressVPN, ProtonVPN, OpenVPN, TunnelBear, and Surfshark VPN. However, OONI data suggests that both Tor and Psiphon VPN were reachable in Kazakhstan during the analysis period.

In almost all cases, the blocks appear to be implemented by means of *TLS interference*, as OONI data shows that the TLS handshakes result in timeout errors after the Client Hello message. This is observed uniformly on all tested networks in Kazakhstan during the analysis period.

Notably, we documented the *use of the latest government-mandated root certificate authority (CA) – and its use to emit 6 distinct intermediate certificates – that were used to carry out TLS MITM attacks, targeting at least 14 domains on at least 19 networks in Kazakhstan*. We found that these intermediate certificates were even being used to perform MITM attacks during periods of certificate invalidity.

Overall, as the timing and types of blocked URLs are consistent across networks, ISPs in Kazakhstan likely implement blocks in a coordinated manner. Coordination among ISPs is further suggested by the fact that we found the same certificate used by 19 distinct ISPs to implement TLS MITM attacks. These TLS MITM attacks raise concerns because such practices weaken the online privacy and security of internet users in Kazakhstan.

Learn more through our report: https://ooni.org/post/2024-kazakhstan-report/

We also summarize some of the findings in these social media threads: https://x.com/OpenObservatory/status/1836831876524527853, https://mastodon.social/@ooni/113166013137593960

We thank OONI Probe users in Kazakhstan for contributing measurements, supporting this study.

~ OONI team.