Skip to content

Russia creates own TLS certificate in a bid to evade sanctions

  • by
  • 3 min read
What is a Teardrop attack and how to prevent it? | Candid.Technology

To deal with website access problems, thanks to the increasing number of tech sanctions on the country, Russia has now created its own TLS Certificate Authority (CA).

TLS certificates are an essential security aspect as they help browsers determine whether a website is safe or not and belongs to a verified entity. Russians cannot renew their existing TLS certificates due to sanctions imposed by western companies and governments. This has caused major browsers to block Russian sites for visitors.

Any certificate signing authorities based in countries with sanctions on Russia cannot receive payments for renewing certificates, leaving Russian sites with no means of renewing or reissuing said certificates. 

In the News: How Truecaller is exploiting India’s toothless privacy laws

Another Russian authority causing problems

Russia is tackling this problem by making an in-house certificate signing authority that can independently issue and renew TLS certificates. According to the Russian Public Services Portal, these certificates will replace foreign ones if they get revoked or expire. The service will be provided to legal entities and site owners upon request in five working days. 

At the time of writing, the only browsers supporting Russian TLS certificates are Russia-based Yandex and Atom. Russian users are being told to use the aforementioned browsers instead of major ones like Chrome, Edge and Firefox, among others. 

Russia creates own TLS certificate in a bid to evade sanctions
The Russian Public Services Portal’s TLS page.

While the domestic certificate hasn’t been made mandatory yet, Russian media is circulating a list of 198 domains that have received a notice to use these certificates. Sites that have already migrated to the new certificate include Sberbank, VTB and the Russian Central Bank. 

The problem here is that for a new CA to be trusted by web browsers; it needs to be vetted by various companies, a time-consuming process that is in question thanks to the very sanctions Russia’s homegrown CA is made to avoid. 

And while Chrome, Edge and Firefox users can manually add the new certificate and continue using Russian sites, as usual, this raises a big concern regarding the abuse of this new CA to perform HTTPS traffic interception and Man-In-The-Middle attacks. Any abuse will eventually cause the certificate to be added to the Certificate Revocation List (CRL), making Russian sites come full circle. This will cause browsers to block access to these sites even with the domestic root certificate. 

In the News: SEC proposes public companies to report cyberattacks within four days

nv-author-image

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>