Russia has established a local trusted TLS certificate authority (CA) to help Russian sites renew their TLS certificates and continue serving their visitors.
Russian-based websites were paying international CAs to renew their TLS certificates prior to the invasion of Ukraine. However, since the occupation also resulted in severe sanctions, signatories in these Western countries can no longer accept payments and therefore certificates cannot be renewed.
If a website certificate has expired, the browser displays a message stating that the page the user wants to visit is not secure. To work around this issue, the Russian authorities created a local CA.
An approximate translation of the announcement published on the Russian public services portal Gosuslugi, “If canceled or expired, it will replace the foreign security certificate. The Ministry of Digital Development will provide a free domestic system. Legal entities – site owners 5 jobs on demand Service is provided during the day.
All this is not as easy as it seems. A CA needs to be trusted by web crawlers and, as BleepingComputer puts it, audited by “various companies” to get there. This trust, predictably, cannot be earned overnight.
Currently, only two browsers accept the new CA as trusted: Yandex and Atom. The first of these is based in Russia, and the second is open source. It is stated that so far Sberbank, VTB and the Central Bank of Russia have received these new certificates.
Going forward, new TLS certificates have been reported for around 200 domains, but as these are not mandated, it’s impossible to say how long it will take companies to adopt them or how many will start.
The sanctions that came as a result of Russia’s invasion of Ukraine are damaging the country’s economy. Many services such as PayPal, Visa, Mastercard and even SWIFT are not available in the country, while most Western retailers such as Microsoft, Apple, Google, McDonalds, Coca-Cola and others have withdrawn from the country.
For experts at cybersecurity firm Venafi, the establishment of the new Russian CA could give the Russian government the power to spy on its citizens and deceive any Western internet service. Venafi openly cites that he sees CA as “a clear blow to online privacy and freedom” and is likely to be a disastrous point of failure for Russian organizations.
Venafi Chief Security Strategist Kevin Bocek says: “All this should come as no surprise. Against an open Internet, the conflict is escalating further and control over citizens is expanded. Russia is also keeping itself outside of the global economy and present and future Russian lowers its citizens’ hopes for economic growth.” “This new CA will certainly be the primary target of Anonymous and other groups that are currently carrying out cyberattacks against Russian organizations,” says Fikir Selva, Venafi Security Engineer
. “Unlike the rest of the world, it has both government and Private sector Russian sites and infrastructure also do not have CAs, so if this site is down or compromised, every website connected to it will be disconnected from the internet until a new CA is created and new certificates are issued.”
29466
