Russia has found what it hopes is a way to get around Ukraine-related war sanctions that are preventing websites in the country from renewing their TLS certificates. Web browsers block sites with expired security certificates, causing trouble for Russian government and business sites.
TLS (Transport Layer Security) certificates are created by an authorized certificate authority (CA) to serve two vital functions in a browser: to verify a domain’s owner and create an encrypted session between applications over the Internet.
But according to Bleeping Computer, Russia has created its own trusted TLS certificate authority (CA) to get around the sanctions problem.
Experts from Venafi aren’t sure it will work.
Pratik Selva, a security engineer with Venafi, said the establishment of the new Russian CA also could create the possibility of a catastrophic single point of failure for Russian entities. “It’s safe to assume that this new CA will be a primary target of Anonymous and other groups that are currently waging cyberattacks against Russian entities,” he said. “Unlike the rest of the world, both government and private-sector Russian sites and infrastructure don’t have a CAs, so if this one goes down or is compromised, every website connected to it will be disconnected from the internet until a new CA is created and new certificates can be issued.”
Kevin Bocek, Venafi’s VP of threat intel and security strategy, said the new Russian Certificate Authority “is a clear strike at privacy and freedom online because it gives the Russian government the power to surveil citizens and spoof any Western Internet service from Twitter to BBC. It also could enable the government to essentially turn off the Internet for Russians. The only good news is that this change does not impact users of Edge, Chrome, Safari in the rest of the world – this change only affects areas of the world where Russia can compel users to step back into a controlled digital world.
“All of this should come as no surprise,” Boeck said. “It is further escalation in conflict against an open Internet and an expansion of control over citizens. Russia is also locking itself out of the global economy and dimming the hopes of economic growth for current and future generations of Russian citizens.”
According to Bleeping Computer, as of Thursday morning the only web browsers that recognized Russia’s new CA as trustworthy are the Russia-based Yandex browser and Atom products.
UPDATE: Analysts at the SANS Institute added this commentary: “Certificate authorities have also been revoking some certificates for Russian organizations. As a result, you may get warnings when visiting affected sites. Do not add the new Russian CA as a trusted CA in your browser/operating system. This new CA operates outside the rules governing CAs in current trusted CA lists. Currently, free certificates from Let’s Encrypt should still work for Russian sites.”