The Russian government has formed a group that is issuing Transport Layer Security (TLS) certificates to websites in the country after sanctions ended the ability to renew existing certificates. However, the scheme may have serious limitations due to ability to block certificates at the browser end.
Also often referred to as SSL, TLS certificates are the instrument that enables a website to offer an encrypted https:// connection to visitors. Many Russian businesses have found themselves placed on sanctions lists due to the sweeping actions taken by Western nations, meaning that the largely Western organizations that issue certificates and renewals can no longer legally offer services to them.
Russian government attempts to generate TLS certificates, but browsers can act as chokepoints
TLS certificates provide the encrypted connection between the browser and the server that makes it very difficult for other prying eyes on the network to intercept data that is being transferred. Offering an https:// connection has become a virtual requirement for any website that takes payments or requests user personal information.
Regardless of how any businesses that issue TLS certificates might feel about Russian websites, widespread Western sanctions on the country have now left them in the position of being unable to take payments from Russian entities without breaking the law and potentially courting large fines. This leaves quite a few Russian websites high and dry for secure connections as certificates begin to come up for renewal.
Apparently keenly aware of this issue, the Russian government’s Ministry of Digital Development has set up a domestic certificate authority (Gosuslugi) that can replace these expiring TLS certificates (and issue new ones). The government-funded effort is offering free certificate replacements to Russian businesses that demonstrate legal ownership of a site, issued within five days of request.
The shortcoming in this plan is that TLS certificates do not function solely from the issuer’s end. They also require the participation of web browsers, which are free to reject certificates that are not deemed trustworthy. The process of adding certificate issuers to a “whitelist” for major browser is usually one that takes months in the minimum. This means that, at the moment, most major Western browsers are rejecting the Russian domestic TLS certificates out of hand.
Thus far the only web browsers that are accepting Russia’s TLS certificates are those based in Russia – Yandex, and Mail.ru’s Atom browser. They do not function with Edge, Chrome, Firefox and other popular browsers used in the West. Nevertheless, some major Russian financial services providers (such as the Russian Central Bank and Sberbank) have already migrated to the domestic certificates. The use of these special certificates is apparently not being made mandatory, but the Russian government has circulated a list of 198 domains that have been suggested to switch over to them.
Russian certificates present a potential security threat
Users of most of the major Western browsers are able to manually configure them to accept the Russian TLS certificates if they so desire. However, security concerns have been raised over the possibility of the Russian government taking a direct hand in these connections and making use of them to intercept data or execute a “man in the middle” attack. As long as the Russian government is involved in the project in this way it is very unlikely that Western browsers will ever add them as valid.
Kevin Bocek, VP of Threat Intel and Security Strategy for Venafi, expands on the offensive capability that these certificates create: “Russian cybercriminals of all types have known the power of machine identities to escape detection for a long time. In the past, Russian cyber criminals have stolen machine identities to create backdoors to Ukrainian power plants with SSH keys, or getting malware to run undetected with stolen code signing certificates. Now the Russian government has taken the next step by introducing a Russian-based Certificate Authority for the internet. Certificate Authorities issue machine identities like TLS certificates that enable a browser and cloud to trust each other no matter where they are in the world. This new Russian Certificate Authority is a clear strike at privacy and freedom online because it gives the Russian government the power to surveil citizens and spoof any Western Internet service from Twitter to BBC. It also could enable the government to essentially turn off the Internet for Russians. The only good news is that this change does not impact users of Edge, Chrome, Safari in the rest of the world – this change only affects areas of the world where Russia can compel users to step back into a controlled digital world.”
The Russian TLS certificates also present a potential security hazard for the websites that use them. The issuing authority will likely be a target for “hacktivists” such as Anonymous, and should it be taken offline it would also instantly disable the secure connection functionality for all the sites relying on it.
All of this comes amidst plans announced by Russia to implement a China-style “great firewall” and withdraw from the global internet, something that the country said would begin on March 11. The government has told all businesses in the country to migrate to “.ru” addresses or risk being frozen out. The country has tested a full withdrawal from the internet several times, the first of which was in 2019, but information about exactly how feasible and successful it was is not available outside of the government. Russia has already effectively been frozen out of much of the technological world from the outside at this point, however, with chip manufacturers halting shipments to the country and digital financial services pulling out.
While Russia wants to keep its domestic internet fenced-in, the world is anticipating retaliatory cyber attacks in the coming weeks and months due to the sanctions. Russia has levied some attacks in Ukraine at this point, but has been slow to use its cyber capability against anyone else.