Russia creates its own TLS certificate authority to bypass sanctions

Picture of the Earth with a web of links over the surface
(Image credit: Shutterstock / NicoElNino)

Russia has formed a domestic trusted TLS certificate authority (CA) to help Russian sites renew their TLS certificates and continue providing services to their visitors.

Before its invasion of Ukraine, websites based in Russia would pay international CAs for the renewal of their TLS certificates. However, since the invasion also resulted in heavy sanctions, signing authorities in these Western countries can no longer accept the payments, and therefore, cannot renew the certificates.

If a website certificate is expired, the browser will display a message that the page the user wants to visit is insecure - and to work around this problem, Russian authorities have come up with a domestic CA. 

Two browsers recognize the new CA

“It will replace the foreign security certificate if it is revoked or expires,” a rough translation of the announcement published on the Russian public services portal, Gosuslugi, reads. “The Ministry of Digital Development will provide a free domestic analog. The service is provided to legal entities – site owners upon request within 5 working days.”

All of this is not as easy as it sounds. A CA needs to be trusted by web browsers, and to get there - it needs to be vetted by “various companies”, as BleepingComputer puts it. That, it seems, can’t happen overnight. 

As things stand now, only two browsers recognize the new CA as trustworthy: Yandex, and Atom. The former is Russia-based, while the latter is open-source. So far, Sberbank, VTB, and the Russian Central Bank, have received these new certificates, the publication states. 

Going forward, some 200 domains have been notified of the new TLS certificate, but as they’ve not been made mandatory, there’s no telling how long it will take for the companies to adopt them, or how many will do it, to begin with. 

The sanctions that came as the result of Russia’s invasion of Ukraine, are taking its toll on the invader’s economy. Many services, such as PayPal, Visa, Mastercard, or even SWIFT, are unavailable in the country, while most of the Western retailers, such as Microsoft, Apple, Google, McDonalds, Coca-Cola, and many, many others, have pulled out. 

For experts at cybersecurity firm Venafi, the establishment of the new Russian CA also could create the possibility of a catastrophic single point of failure for Russian entities, as they see the CA as a “clear strike at privacy and freedom online”, as it gives the Russian government the power to spy on its citizens, and spoof any Western internet services. 

“All of this should come as no surprise,” says Kevin Bocek, Chief Security Strategist for Venafi. 

“It is further escalation in conflict against an open Internet and an expansion of control over citizens. Russia is also locking itself out of the global economy and dimming the hopes of economic growth for current and future generations of Russian citizens.”

“It’s safe to assume that this new CA will be a primary target of Anonymous and other groups that are currently waging cyberattacks against Russian entities,” adds Pratik Selva, Security Engineer at Venafi. “Unlike the rest of the world, both government and private-sector Russian sites and infrastructure don’t have a CAs, so this one goes down or is compromised every website connected to it will be disconnected from the internet until a new CA is created and new certificates can be issued.”

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.