Monday, May 23, 2022

Experts skeptical new Russian certificate authority will evade sanctions

Russia has found what it hopes is a way to get around Ukraine-related war sanctions that are preventing websites in the country from renewing their TLS certificates. Web browsers block sites with expired security certificates, causing trouble for Russian government and business sites.

TLS (Transport Layer Security) certificates are created by an authorized certificate authority (CA) to serve two vital functions in a browser:  to verify a domain’s owner and create an encrypted session between applications over the Internet.

But according to Bleeping Computer, Russia has created its own trusted TLS certificate authority (CA) to get around the sanctions problem.

Experts from Venafi aren’t sure it will work.

Pratik Selva, a security engineer with Venafi, said the establishment of the new Russian CA also could create the possibility of a catastrophic single point of failure for Russian entities. “It’s safe to assume that this new CA will be a primary target of Anonymous and other groups that are currently waging cyberattacks against Russian entities,” he said. “Unlike the rest of the world, both government and private-sector Russian sites and infrastructure don’t have a CAs, so if this one goes down or is compromised, every website connected to it will be disconnected from the internet until a new CA is created and new certificates can be issued.”

Kevin Bocek, Venafi’s VP of threat intel and security strategy, said the new Russian Certificate Authority “is a clear strike at privacy and freedom online because it gives the Russian government the power to surveil citizens and spoof any Western Internet service from Twitter to BBC. It also could enable the government to essentially turn off the Internet for Russians. The only good news is that this change does not impact users of Edge, Chrome, Safari in the rest of the world – this change only affects areas of the world where Russia can compel users to step back into a controlled digital world.

“All of this should come as no surprise,” Boeck said. “It is further escalation in conflict against an open Internet and an expansion of control over citizens. Russia is also locking itself out of the global economy and dimming the hopes of economic growth for current and future generations of Russian citizens.”

According to Bleeping Computer, as of Thursday morning the only web browsers that recognized Russia’s new CA as trustworthy are the Russia-based Yandex browser and Atom products.

UPDATE: Analysts at the SANS Institute added this commentary: “Certificate authorities have also been revoking some certificates for Russian organizations. As a result, you may get warnings when visiting affected sites. Do not add the new Russian CA as a trusted CA in your browser/operating system. This new CA operates outside the rules governing CAs in current trusted CA lists. Currently, free certificates from Let’s Encrypt should still work for Russian sites.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.