country wide, this is a loud call for a cloud, distributed proxy provider with a better track record than the telco, to offer tor-like tunnels to at least exit the MITM zone.
the ddos was achieved by altering the contents of one of the script on a large chinese site (was it baidu? google it). Once every user on that site loaded the tampered script, it made sure to send many requests to github.
Sadly, they (Baidu) are not, which is why the script content was easily modified.
To clear it up, I said that GFW "can" do (but has not yet done) these. But it tried to MITM some https traffic earlier with a non-trusted certificate as an experiment.
How would the telco get their Private Trust Anchor into the certificate store ? More social engineering, i suppose. At the app level though, a chain resolution like what you describe is not required.
They will be telling citizens to install a "national security certificate". After they implement this, you won't be able to access the internet without it.
They COULD do that but they almost certainly aren't doing that. That's a tedious task that requires a lot of time and technically competent employees.
Also we are talking about apps implementing certificate pinning. Not reading from the OS store etc., and therefore, I don't see Kazakhstan reverse engineering and patching executables.
