Russia has created its own trusted TLS certificate authority (CA) to solve website access problems as a result of sanctions that prevent certificate renewals, according to a report at Bleeping Computer. “The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates,” the report said.
Because of expired certificates, countries that have imposed sanctions on Russia can no longer accept payments for their services, “leaving many [web]sites with no practical means to renew expiring certificates,” the Bleeping Computer report said.
Digital certificates are used to validate the legitimacy of browsers. An expired certificate will trigger conspicuous warnings from Google Chrome, Safari, Microsoft Edge, and Mozilla Firefox browsers stating that pages are insecure, causing users to avoid a website, as Bleeping Computer points out.
If still used by websites, expired certificates are also a grave security concern as they put both encryption and mutual authentication at risk.
The report—quoting a translation from the Russian public services portal, Gosuslugi—explains the plans for a domestic certificate authority for the independent issuing and renewal of TLS certificates:
“It will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analogue. The service is provided to legal entities – site owners upon request within 5 working days.”
Instead of Chrome, Firefox et al Russian users are being told to use the Yandex browser and Atom products, the only web browsers that recognize Russia’s new CA as trustworthy.
But it will take time for the new Certificate Authorities to be trusted by web browsers.
Russia keenly aware of sway that machine identities hold
“Certificate Authorities issue machine identities, like TLS certificates, that enable a browser and cloud to trust each other no matter where they are in the world,” said Kevin Bocek, VP, Ecosystem & Threat Intelligence, at Venafi.
Now the Russian government has taken the next step by introducing a Russian-based Certificate Authority for the internet.
“This new Russian Certificate Authority is a clear strike at privacy and freedom online because it could give the Russian government the power to surveil citizens and spoof any Western Internet service from Twitter to the BBC. It also could enable the government to essentially turn off the Internet for Russia,” Bocek said.
“Russian cybercriminals of all types have known the power of machine identities to escape detection for a long time. In the past, Russian cyber criminals have stolen machine identities to create backdoors to Ukrainian power plants with SSH keys or to get malware to run undetected with stolen code signing certificates,” Bocek added.
Russia could also create massive risk for itself
“The establishment of the new Russian CA also could create the possibility of a catastrophic single point of failure for Russian entities,” said Pratik Savla, Senior Security Engineer at Venafi.
“It’s safe to assume that this new CA will be a primary target of Anonymous and other groups that are currently waging cyberattacks against Russian entities. Unlike the rest of the world, both government and private-sector Russian sites and infrastructure don’t have a CAs, so if this one goes down or is compromised every website connected to it will be disconnected from the internet,” Savla said.