To deal with website access problems, thanks to the increasing number of tech sanctions on the country, Russia has now created its own TLS Certificate Authority (CA).
TLS certificates are an essential security aspect as they help browsers determine whether a website is safe or not and belongs to a verified entity. Russians cannot renew their existing TLS certificates due to sanctions imposed by western companies and governments. This has caused major browsers to block Russian sites for visitors.
Any certificate signing authorities based in countries with sanctions on Russia cannot receive payments for renewing certificates, leaving Russian sites with no means of renewing or reissuing said certificates.
Another Russian authority causing problems
Russia is tackling this problem by making an in-house certificate signing authority that can independently issue and renew TLS certificates. According to the Russian Public Services Portal, these certificates will replace foreign ones if they get revoked or expire. The service will be provided to legal entities and site owners upon request in five working days.
At the time of writing, the only browsers supporting Russian TLS certificates are Russia-based Yandex and Atom. Russian users are being told to use the aforementioned browsers instead of major ones like Chrome, Edge and Firefox, among others.
While the domestic certificate hasn’t been made mandatory yet, Russian media is circulating a list of 198 domains that have received a notice to use these certificates. Sites that have already migrated to the new certificate include Sberbank, VTB and the Russian Central Bank.
The problem here is that for a new CA to be trusted by web browsers; it needs to be vetted by various companies, a time-consuming process that is in question thanks to the very sanctions Russia’s homegrown CA is made to avoid.
And while Chrome, Edge and Firefox users can manually add the new certificate and continue using Russian sites, as usual, this raises a big concern regarding the abuse of this new CA to perform HTTPS traffic interception and Man-In-The-Middle attacks. Any abuse will eventually cause the certificate to be added to the Certificate Revocation List (CRL), making Russian sites come full circle. This will cause browsers to block access to these sites even with the domestic root certificate.