Russia issues its own TLS certificate to bypass sanctions

In response to Russia’s invasion of Ukraine, many Western countries have imposed sanctions prohibiting companies from conducting business in Russia, including public third-party certificate authorities (CA), which issue Digital Certificates and manage the public keys and credentials for data encryption for the end user. One of such Digital Certificates is the Transport Layer Security (TLS), which plays an integral role in validating website domains to ensure security.

With the sanction preventing certificate renewal for Russian websites, websites with expired TLS certificates are blocked by browsers. In an attempt to solve the website access problems, Russia has created its own TLS certificate authority.

How TLS certificates work?

How TLS works (Source: DigiCert)

TLS, also known as SSL or digital certificates, is the foundation of secure networks and the successor technology of the commonly known Secure Sockets Layer (SSL). TLS is a cryptographic protocol that provides end-to-end security of data sent over the Internet. It is most known for its use in securing HTTPS web browsing and is visible as the padlock symbol in the address bar. Aside from web browsing, it is also used in applications such as email, messaging, and voice over IP.

TLS Handshake (Source: CloudFlare)

A TLS handshake is the process that initiates a communication session with TLS encryption. During a TLS handshake, the client and the server exchange messages to acknowledge each other, verify each other, establish the encryption algorithms they will use, and agree on session keys. This can be summarized as the following steps:

  1. Specify which version of TLS is in use
  2. Decide on which cipher suites to use, which is a set of encryption algorithms such as  RSA key exchange algorithm
  3. Authenticate the identity of the server via the server’s public key and the TLS certificate authority’s digital signature
  4. Generate session keys to use symmetric encryption

TLS typically relies on trusted third-party CA to establish the certificates, the top 3 of which are IdenTrust, DigiCert and Sectigo. With some of these companies withdrawing businesses from Russia and sanctions causing these companies unable to receive payments from Russia, the country is now facing website access issues as these websites are now unable to renew their certificates, and hence, being blocked by web browsers.

Russia’s Domestic TLS

Announcing the availability of domestic certificates (Gosuslugi)

The Russian government envisions a solution of generating TLS certificates on their own to websites in the country: “It will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analogue. The service is provided to legal entities – site owners upon request within 5 working days,” explains the Russian public services portal, Gosuslugi (translated).

Risks and Limitations

However, this plan comes with many limitations. The TLS certificates require the validation from web browsers, meaning that browsers are free to reject websites they deem not trust-worthy. Additionally, the process of adding certificate issuers to a “whitelist” takes several months at the minimum, leaving Russian domestic TLS being rejected by major Western browsers at the moment. The only web browsers that are accepting Russia’s domestic TLS are Yandex and Atom browser, both of which are based in Russia.

This also creates a significant privacy threat to the Russian residents – Mike Parkin, researcher and senior technical engineer at Vulcan Cyber, tells CSO News “While it’s unlikely that the major browsers will ever accept the new Russian CA, it may be a problem for those users in Russia. They will have to rely on their CA, which is sanctioned by a government that is not well known for respecting user privacy or taking a strong stand against cybercriminals.”

Bottom Line

This action of Russian government prompted many to wonder if this is a step towards the Russian “sovereign internet”, where the nation completely disconnect from global Internet.  “This would happen under a 2019 Law on Sovereign Internet. According to Russia’s legislation, disconnecting Russian internet infrastructure from the global internet would be a defensive move, although this leaves a wide room for interpretation,” according to a Flashpoint post.

Sources:

https://www.globalsign.com/en/ssl-information-center/what-are-certification-authorities-trust-hierarchies

https://www.digicert.com/tls-ssl/tls-ssl-certificates

https://www.internetsociety.org/deploy360/tls/basics/

https://www.cloudflare.com/en-ca/learning/ssl/what-happens-in-a-tls-handshake/

https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/

https://www.csoonline.com/article/3653315/traffic-interception-and-mitm-attacks-among-security-risks-of-russian-tls-certs.html

https://www.flashpoint-intel.com/blog/ukraine-russia-war/russian-runet-sovereign-internet/

Join the Conversation

40 Comments

  1. It’s interesting to see the digitalization of sanctions in the modern information era. I think the fact that Russia had to produce their own tls certificate shows how internationally interconnected, and therefore dependent, the internet is. This nature of course allows us to wield the power to punish countries such as we have been doing with Russia, something that we’re seeing as a positive for now but only because we aren’t at the short end of the stick. Here’s to hoping that this power keeps being used for good.

    1. Seeing the digitalization of sanctions is definitely interesting, and I think we can expect to see more of those playing an important role in the future. And definitely hoping that this power will be used for good.

  2. Thank you for your detailed and well-written post. In the west, we often take our ability to connect with those outside of our country for granted. Economic impact aside, Russia withdrawing from the global internet may trigger a cultural rift that hasn’t been seen since the iron curtain.

    1. Nowadays, the Internet plays such an important role in freedom of speech. I agree that is often taken for granted and hard to imagine what life would be like without access to the global Internet.

  3. This whole deal with all these companies pulling out of Russia really feels like its getting to be too far. I doubt that preventing Russia from getting TLS certificates is gonna do anything to help fight the war, and I wonder how people will react when the war is over (however it may end), will we reconnect to Russia, or will they be forever known as some sort of global enemy?

    1. While many try to bring justice to the matter, there’s no stopping Russia from reacting to the matter or even taking it to the next level. The validation process of such TLS seems to be challenging, so I’m still doubtful if this will actually help them bypass the sanction.

  4. Good Post! I have heard the term “TLS” before but I did not know that it was a form of certificate and that they can grant websites access to web browsers. Russia’s response to being denied access to these certificates is very interesting. You make a good point regarding how the certificates issued by Russia’s new “TLS” may not be trustworthy, as the Russian government has a history of not respecting user privacy. If these new certificates are issued by a section of the Russian government itself, then what is stopping that section from potentially breaching these newly issued security measures. We all know that the Russian government has a history of going back upon their word (the war in Ukraine being a rather relevant example). This does seem like an obvious avenue for the Russian government to digitally spy on the activity of its citizens.

    1. Thanks! I enjoyed researching the topic after hearing them in class. You made a good point about the trustworthiness of the TLS. With Internet integrated in people’s daily lives, safe access to the Internet is very important.

  5. Great post! I did not know much about TLS certificates before reading this post, and you explained what they are and how they work very clearly. I find it really interesting how sanctions can be imposed digitally, as it is something I had not really considered until now. While I hope that the sanctions that are being imposed by Western countries have an effect in discouraging the Russian government from continuing their invasion, I can not help but feel that if Russia does become completely disconnected from the global internet, it could have drastic impacts on Russian civilians. The Russian government produces vast amounts of propaganda, and by controlling not only traditional media, but the internet as well, it could result in increased isolation, misinformation, and harm.

    1. I agree that seeing the many sanctions taken place digitally is fascinating. Hopefully, the Internet isolation is just temporary and the sanctions help bring justice.

  6. I’ve seen a lot of different posts regarding Russia and Ukraine and they all are as concerning as it could be. It is possible for Russia to spy on its citizen and if the country disconnects from the internet world wide, it would be very concerning. Overall, great post!

    1. Isolating the country is concerning as this allows them to deceive their citizens. Hopefully, the people will find an alternative to the Russia-issued TLS.

  7. Great Post! We know, If an attacker infects a computer with malicious software, they could gain access to the digital certificates stored on that device and insert a root certificate. This, along with the ability to fraudulently respond to that user’s website requests, would allow them to impersonate a website, thereby allowing them to read all data sent to it.

    1. That’s a great point! Validation of the Russian TLS may be harmful to the safety of the Internet.

  8. Good post! I like how this ties in with what we learned today in class about SSL/TLS. I wonder if Russia might move to a more isolated internet, much like China currently has, where nothing gets in except for what the government allows. Domestic SSL certificates certainly seem like a great way of doing that, by only allowing government-approved entities to have secure connections. And even then, there’s no guarantee that the government doesn’t exploit the certificates to spy on their citizens.

    1. I can definitely see how the isolation of the Internet can be concerning. The government can take control over what’s allowed and who’s allowed there, and hence, creating misinformation and misuse of information.

  9. Interesting comment! It is cool to see that TLS certificates are being used now as a political tool- TLS certificates are meant to identify and identify websites, and this is certainly another creative way to strike at the Russian government, as well as regular citizens- would this push towards the creation of a “Sovereign Internet” for Russia really help the current situation? I honestly don’t know the answer to this question, it will be interesting to see how this plays out.

    1. It is interesting to see how all aspects of our lives are integrated with the Internet, and digital sanctions can have serious consequences on a nation.

  10. It is interesting how dependent countries are on each other when it accessing websites and information online. Russia creating their own TLS certificate will make them somewhat more powerful while other countries boycott Russia in every way possible. It is also scary to see that Russia is attempting to isolate it’s citizens so that they don’t need to really on other countries.

    1. The Internet could have been an open platform for people to communicate and express their opinions, the isolation can take that away. I agree with the risk of isolation that comes with the Russia-issued TLS.

    2. I agree with your statement and it also shows the power Russia has in the realm of cyberwarfare. Not only do they isolate their citizens, but they also crush any dissent that may be apparent within their own civilian population. By handing out TLS access to a select few individuals, it could have a devastating effect on the control of the narrative as Russia can shape it in any way it desires. I think companies need to be more vigilant of these practices and stop these intrusions with whatever means necessary.

  11. I think this is a great post! I have learned a lot about the web from your post. The fact that Russia is now issuing its own TLS certificate shows its innovativeness in terms of cyber warfare. Alternatively, this also showcases their achievement when it comes to cyber security. Nonetheless, I would ask you how should companies prevent the access of Russian TLS from accessing their sites? Cause clearly they are able to bypass sanctions. Additionally, it gives them unanimous leverage against their own citizens as it makes them more domestically powerful in suppressing any dissent that may exist. They could hand these TLS to patriots to spread Russian propaganda on these web browsers while hiding the reality of war crimes committed in Ukraine.

  12. Nice post! Honestly I’m kind of surprised that Russia did not already have their own certificates, but now that they are sanctioned, I guess they have no choice but to make them. This is probably bad news for Russian citizens because now their government can see even more of what is happening on peoples computers, and will probably make it easier for Russia to censor more information from its citizens. Hopefully Russian citizens will be able to stay connected with the rest of the world. This was a really interesting post!

  13. This is interesting! We always think of sanctions limiting economic activity, but I’m surprised TLS certificates are sanctioned as well. It’s interesting how Russia has found a way around these sanctions to allow their websites to continue their commerce activity. I wonder how far they will go and if they ever disconnect from the global internet and only communicate within their own smaller version of the Internet.

  14. Pingback: PEP
  15. Pingback: m1a scout
  16. Pingback: swan168
  17. Pingback: pgslot168

Leave a comment