Edit for replies to this message: I accept the distinction being made, but that doesn't mean I'm more happy about one thing than the other. Both suck.
The websites themselves tracking you… well, whatever, visit better websites, block third-party trackers (Firefox actually does that out of the box), use Tor Browser.
(Also, the tracking is not exclusive to the "developed world" lol)
A thing affects enormous percentage of world population. A shrug is performed.
When google tracks me when I'm in India it is not for finding out if I am against my PM and a threat to the party and if they want to silence me
I'd much rather be tracked online and have my bank details safe than the other way around.
Who are you quoting?
Browsers and OS vendors must provide clear explanations, when adding a third-party certificate. For example, Android shows a notification that traffic can be intercepted and allows to disable third-party root certificates.
All these news about Kazakhstan just feels like a farce. Go ahead and do same against China.
(Speaking of China, Google did remove Chinese CA after it was used for MiTM https://security.googleblog.com/2015/03/maintaining-digital-...)
It turns out that humans are strongly disinclined to accept failure. Once they have set upon a course of action they'll see it through despite almost any cost, they are focused on achieving their goal. This is related to the sunk cost fallacy. For interception MITM attacks this means the attack will very likely work _unless_ we just treat it as a failed connection.
If you interrupt a human trying to do something with "The government of Kazakhstan wants to intercept your connection and arbitrarily change everything. OK?" the human doesn't even read as far as "Kazakhstan" before they push OK. "OK already computer, stop bothering me". So there's no point offering failure as an option, users will pick "OK" anyway.
Instead the correct solution is for the browser to just treat interception as failure as a matter of policy. Users aren't surprised if you do this, now the browser just can't connect when there's a problem, which is already how they understood things. And because they can't just press "OK" they are freed from their plan, it has failed, and now they can re-evaluate.
It also has a GDP per capita on par with Turkey and China, just below Russia. So it's simultaneously not about conveniently picking on a super impoverished nation either.
Bypassing blocking is dependent on how the blocking is being done.
Anyway, browsers are trying. DoH for example, will work around DNS based blocking (as long as CAs can be trusted).