Russia creates its own TLS certificate authority to bypass sanctions

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/

Russia has created its own trusted TLS certificate authority (CA) to solve website access problems that have been piling up after sanctions prevent certificate renewals.

The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates.

TLS certificates help the web browser confirm that a domain belongs to a verified entity and that the exchange of information between the user and the server is encrypted.

Signing authorities based on countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates.

After a certificate expires, web browsers such as Google Chrome, Safari, Microsoft Edge, and Mozilla Firefox will display full-page warnings that the pages are insecure, which can drive many users away from the site.

The Russian state has envisioned a solution in a domestic certificate authority for the independent issuing and renewal of TLS certificates.

“It will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analogue. The service is provided to legal entities – site owners upon request within 5 working days,” explains the Russian public services portal, Gosuslugi (translated).

However, for new Certificate Authorities (CA) to be trusted by web browsers, they first needed to be vetted by various companies, which can take a long time.

Currently, the only web browsers that recognize Russia’s new CA as trustworthy are the Russia-based Yandex browser and Atom products, so Russian users are told to use these instead of Chrome, Firefox, Edge, etc.

Sites that have already received and are currently using these state-supplied certificates include Sberbank, VTB, and the Russian Central Bank.

 

[oldschool]

However, for new Certificate Authorities (CA) to be trusted by web browsers, they first needed to be vetted by various companies, which can take a long time.

Currently, the only web browsers that recognize Russia’s new CA as trustworthy are the Russia-based Yandex browser and Atom products, so Russian users are told to use these

The Putin noose tightens.

 

[ExecutiveOrder]

Currently, the only web browsers that recognize Russia’s new CA as trustworthy are the Russia-based Yandex browser and Atom products, so Russian users are told to use these instead of Chrome, Firefox, Edge, etc.

I wonder how many (and how long until) AV products with encrypted connection scan features will recognize Putin's brand new CA as trusted and won't be surprised if Kaspersky will be among the first to recognize it.

 

[Minimalist]

I wonder how many (and how long until) AV products with encrypted connection scan features will recognize Putin's brand new CA as trusted and won't be surprised if Kaspersky will be among the first to recognize it.

Even bigger problem is how to persuade browser developers to add it to trusted certificate list. So far only Yandex does it and I doubt that others are eager to do it.

 

[rami.abbas]

won't be surprised if Kaspersky will be among the first to recognize it.

Foshooo

 

[rami.abbas]

I doubt that others are eager to do it

Agreed! With the current tension and sanctions among these nations, I doubt that other browser would accept their new certificate.
Plus, Signing authorities based on countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates.

 

[ExecutiveOrder]

Russian media has also been circulating a list with 198 domains that reportedly received a notice to use the domestic TLS certificate, but for now, its use hasn’t been made mandatory.

I've checked some domains on the domain list that can actually load, most of them are recently renewed premium from various CA or free (Let's Encrypt) certificates (issued from mid-January to 7th March) and I didn't see anything from Russian Trusted Root CA.
The Central Bank of the Russian Federation (cbr.ru) for example, is using GlobalSign cert issued on 1st March (expires on 2nd April 2023).
Looks like some of them were ready for this.

 

[plat]

 

[cajianbabyblue]

From the article: "However, this raises the concerns that Russia could abuse their CA root certificate to perform HTTPS traffic interception and man-in-the-middle attacks.
This abuse would ultimately lead leading to the new root certificate being added to the certificate revocation list (CRL)."

...and will further isolate the country and its sites for the near future.

 

[cajianbabyblue]

"However, for new Certificate Authorities (CA) to be trusted by web browsers, they first needed to be vetted by various companies, which can take a long time."

How long does it typically take?