Because of sanctions imposed by western governments and companies, Russian websites cannot renew their TLS certificates, leading to sites being blocked by browsers. Russia has responded by creating its own TLS certificate authority (CA).
Transport Layer Security (TLS) secure and encrypts the transfer of data between a website, web server, and browser. Without a TLS certificate, a browser blocks access to a website.
CAs in countries that have imposed sanctions on Russia cannot accept payments from Russia, leaving many Russian websites in danger of being inaccessible. So, the Russian government created a domestic CA.
“It will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analog. The service is provided to legal entities – site owners upon request within 5 working days,” explains the Russian public services portal.
However, this is not an immediate solution because a CA can only be trusted by browsers after it has been vetted by several companies. According to Bleeping computer, so far the only browsers that recognize the Russian CA are Yandex and Atom.
Several websites are already using the new CA, including Sberbank, Russian Central Bank, and VTB. Russian media reported that 198 domains had been told to use the new CA, but, for now, it is not compulsory.
Users on browsers like Firefox, Mozilla, and Chrome can manually add the new Russian digital certificate in order to access Russian sites. That carries the risk that Russia could use the CA root certificate to perform attacks like man-in-the-middle and HTTPS traffic interception.
The risk of these attacks would likely result in Russia’s new CA root certificate being included in the certificate revocation list (CRL), making the digital certificates invalid and sites being blocked.
Additionally, considering that Russia compromised its trustworthiness globally, it is unlikely that any of the major browsers will add its CA root certificates.
The fact that many providers are pulling out of Russia is also leaving many Russian citizens more at risk of state surveillance.
“DigiCert is one of the world’s biggest providers of website certificates, which aim to prove that when a person visits a site it’s owned by the entity they expected. If a website loses that certificate, it’s possible for hackers or a government to intercept a person’s attempt to reach a given site and replace it with their own webpage. That could then be used to launch spyware on the individual or trick them into entering their username and password, which could then be stolen and offered for sale, or used by the perpetrator. It could also be used to spy on what users are doing on a given website.
In Russia, where fears of cybercrime and repressive surveillance are rife, the ramifications of DigiCert’s withdrawal could be huge. That Russia is reportedly working on creating its own digital signature entity won’t allay concerns over surveillance, given it’ll be under the control of the Kremlin.”