Close up on the screen focus on the browser padlock showing digital certificates and certificate authority

How Russia’s New Certificate Authority Could Change the Internet in America

Sanctions against Russia are piling up by the day, with countries banning ships, freezing assets and seizing yachts from oligarchs. One particular sanction, the refusal to renew web certificates, has led to Russia creating its own certificate authority (CA).

Transport Layer Security (TLS) certificates have become a virtual prerequisite for any business with an online presence, especially one that accepts a customer’s personal data or payment information. Certificates verify a secure connection and the website’s trustworthiness. Many Russian businesses can’t operate without them and can’t get them or renew them from the usual CAs because sanctions prohibit many Western businesses from doing business in Russia.

Through that lens, Russia’s creation of a CA is a self-defense mechanism to keep its businesses running. But it’s more complicated than that and could even set the stage for potential conflict. The Russian government spinning up a CA means it has more ability to inspect web traffic, track activity, and create a surveillance state that can also spoof Western entities.

To truly grasp the dangers associated with Russia developing a TLS CA, it’s important to understand what CAs do and the impact they have on the digital world.

How certificate authorities work

Similar to the State Department issuing a passport, a TLS CA is an international trusted third party that issues identities to devices, servers, networks, and data. The CA signs the certificates, and the signature is verified by a web browser before establishing a connection.

There are several well-known public CAs like Entrust, DigiCert, and Let’s Encrypt that work with common browsers like Edge, Chrome, Firefox, and Safari. So far, only Russian browsers are defaulting to Russian TLS certificates.

Due to the sanctions, Russian websites that use specific certificates from a U.S.-based public CA will not be able to renew their certificates if they expire. Many certificate authorities have already decided they are blocking all new orders from Russia and Belarus. Additionally, other organizations that distribute certificates are pausing business operations in Russia.

Expired certificates are a grave security concern and can diminish business. According to a recent report from Ponemon Institute, nearly 65% of organizations across the world are unable to secure and govern the growing volume of digital certificates – which amount to an average 30,000 per organization – and more than half of today’s organizations have experienced one or more security incidents due to a digital certificate compromise. This report also found a CA compromise was a root cause (nearly 50%) of these cybersecurity incidents. With that, CAs have a lot of impact and influence on how today’s internet works.

While businesses can manually add a CA into a browser, it’s an all-or-nothing proposition. You can’t pick and choose which websites you want to use a certificate authority for. CAs are like the bouncer at a club, and your browser is the bartender looking to serve you a drink, or a website. Once browsers accept a CA, they trust the CA’s judgment to verify websites. This is why CAs are an integral part of the public key infrastructure (PKI), a framework for data encryption that establishes digital identities for users and web-based resources. This is what keeps the internet secure and transparent.

What this means for U.S. organizations

Russians are forced to trust the new CA because it’s the only choice Russian websites have when it comes to getting new certificates. Now the rest of the world needs to decide whether it also wants to trust a Russian CA.

For instance, if a university researcher in America wanted to read about the findings from Moscow Finance and Law University, it would have to use the Russian CA once the university’s current Sectigo certificate expires in November.

This has led to a larger discussion about Russian entities, whether government affiliated like the new CA or otherwise.

Even before Russia invaded Ukraine, which led to the sanctions en masse, it had a suspect reputation in the technology world and is one of the largest state-sponsored hacking countries. Having a CA at its disposal would assist the hackers in snooping web traffic, or worse. Hackers could hijack a domain name and use it to extort a ransom. They could also redirect users to an identical website and deploy malware or collect user credentials and credit card information.

Cases like Kaspersky offer plenty of reasons to be wary. The Russian corporation is one of the biggest names in anti-virus software despite the binding directive from the Department of Homeland Security in September 2017, which instructed government agencies to stop using Kaspersky because of ties to Russian intelligence that would jeopardize the security of Kaspersky customers. On March 25, 2022, the Federal Communications Commission made Kaspersky the first Russian entity on a list of companies deemed a threat to national security.

It’s not just Russia, either. Government-backed CAs tend to stay out of the mainstream. Even the U.S. Department of Defense’s CAs are not publicly trusted and need to be manually added to devices.

What comes next

It’s clear Russia is going through this exercise to ensure that its infrastructure isn’t crippled by a sanction. PKI, specifically certificates, is the linchpin to internet-facing technology. It allows for secure communications and is an integral part of encryption, something that Russia excels at. This is why a Russian CA is something every organization should be watching.

Browsers like Chrome, Firefox, Edge, and Safari will have to make the call about whether they trust the Russian CA to both encrypt the traffic and point that traffic to the right place.

By owning a trusted CA, Russia can also now host as many man-in-the-middle attacks, which are generally privacy attacks. Additionally, with a Russian CA entity, the majority of state-sponsored hacking groups can use these CA to produce certificates for devices meant to intercept traffic and view all of the encrypted communications.

Because this isn’t happening all at once—many Western CAs are still honoring current certificates on Russian websites until they expire—it calls out the critical importance of automating certificate lifecycle management (CLM).

Russian government spinning up a CA means it has more ability to inspect web traffic, track activity, and create a #surveillance state that can also spoof Western entities. #cybersecurity #respectdataClick to Tweet

Russian organizations will need to replace millions of certificates on a rolling basis. It’s a tedious process and extremely time consuming. Automating CLM with trusted CAs reduces the likelihood of outages due to certificate expiration or human error, but make no mistake, a trusted CA is the key.


Field CISO at AppViewX