Russia Issues Its Own TLS Certs

The country’s citizens are being blocked from the internet because foreign certificate authorities can’t accept payments due to Ukraine-related sanctions, so it created its own CA.

Russia is offering its own trusted Transport Layer Security (TLS) certificate authority (CA) to replace certificates that need to be renewed by foreign countries. As it is, a pile of sanctions imposed in the wake of Russia’s invasion of Ukraine is gumming up its citizen’s access to websites.

As it is, Russian sites are stuck, unable to renew their certs because sanctions keep signing authorities in many countries unable to accept payments from Russia, according to BleepingComputer.

TLS – more commonly known as SSL, or TLS/SSL – is a cryptographic protocol that secures the internet by encrypting data sent between your browser, the websites you visit and the website’s server. The certificates keep data transmission private and prevent modification, loss or theft, as digicert explains.

How TLS certificates work. Source: Digicert.

According to a notice on Russia’s public service portal, Gosuslugi, as shown in a translated version in this article’s featured art, the certificates will replace foreign security certs if they expire or get yanked by foreign CAs. According to the portal, the service is available to all legal entities operating in Russia, with the certificates delivered to site owners upon request within five working days.

Infosec Insiders Newsletter

The ‘Digital Iron Curtain’

Over the past two weeks, Russia’s internet services have been cut off by multiple major U.S. internet suppliers, including Cogent Communications, reportedly the second-largest internet carrier servicing Russia. Lumen, another major U.S. internet supplier, followed suit on Tuesday, pushing the country’s citizens behind what some analysts are calling “a new digital Iron Curtain.”

Mikhail Klimarev, executive director of the Internet Protection Society, which advocates for digital freedoms in Russia, told The Washington Post that he’s “very afraid of this.”

“I would like to convey to people all over the world that if you turn off the Internet in Russia, then this means cutting off 140 million people from at least some truthful information. As long as the Internet exists, people can find out the truth. There will be no Internet — all people in Russia will only listen to propaganda.”

Chrome, Firefox, Edge Won’t Swallow the New Certs

BleepingComputer reported on Thursday that the only web browsers that were recognizing the new CA as trustworthy at the time were the Russia-based Yandex browser and Atom products: Russian users’ only alternative to browsers such as Chrome, Firefox, Edge and others.

Somebody with a Mozilla domain email on Thursday started a thread to discuss examination of the new root Russia cert, pointing to the possibility of the Russian government using it to start mand-in-the-middle (MitM) attacks – though, they said, none had been detected as of yesterday.

“Although at present there’s no MitM, it’s likely that government websites will start using this and once adoption is high enough Russia will perhaps start MitM,” they said. They cited an ISP who said that it had been told that the new cert was mandatory, making the certificate “worth urgent consideration.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles

Discussion

  • Petr Sedlacek on

    If payment is the main problem, why not use one of the free services, e. g. Let's Encrypt?
  • nopesayer on

    the screenshots are too small, struggling to read the text. can you re-upload?
    • Lisa Vaas on

      I'll see what I can do. We're limited to 800 pixels.
  • useYourBrain on

    We won't accept your CA. You can't participate. That'll show them. *eye roll* This is a glimpse at the massive amount of control governments and tech companies have over people. It's tragic. Like countless others in this field -- I'm dumping products that are targeting Russian citizens as a means to punish them for actions they have no decision making power over. We've had a few Russian tech companies reach out, begging us to take on their international customers so they don't get caught in the flack designed to punish + isolate them for the crime of being Russian. The US literally bombs and kills at will -- have you saw the number of children (not just civilians) they've killed in recent years -- it's mental! Treat all disgusting acts with the same punishment, or be shown a hypocrite .... or you could just realize it is insane to begin with. I'm sure Google, Microsoft and the other "tech"-trash out there won't be taking up that banner anytime soon. This entire thing has been sad to watch.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.