Russia creates its own TLS certificate authority to bypass sanctions

Gandalf_The_Grey

Level 61
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,009
Russia has created its own trusted TLS certificate authority (CA) to solve website access problems that have been piling up after sanctions prevent certificate renewals.

The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates.

TLS certificates help the web browser confirm that a domain belongs to a verified entity and that the exchange of information between the user and the server is encrypted.

Signing authorities based on countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates.

After a certificate expires, web browsers such as Google Chrome, Safari, Microsoft Edge, and Mozilla Firefox will display full-page warnings that the pages are insecure, which can drive many users away from the site.
The Russian state has envisioned a solution in a domestic certificate authority for the independent issuing and renewal of TLS certificates.

“It will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analogue. The service is provided to legal entities – site owners upon request within 5 working days,” explains the Russian public services portal, Gosuslugi (translated).

However, for new Certificate Authorities (CA) to be trusted by web browsers, they first needed to be vetted by various companies, which can take a long time.

Currently, the only web browsers that recognize Russia’s new CA as trustworthy are the Russia-based Yandex browser and Atom products, so Russian users are told to use these instead of Chrome, Firefox, Edge, etc.

Sites that have already received and are currently using these state-supplied certificates include Sberbank, VTB, and the Russian Central Bank.
 

oldschool

Level 67
Verified
Top poster
Well-known
Mar 29, 2018
5,641
However, for new Certificate Authorities (CA) to be trusted by web browsers, they first needed to be vetted by various companies, which can take a long time.
Currently, the only web browsers that recognize Russia’s new CA as trustworthy are the Russia-based Yandex browser and Atom products, so Russian users are told to use these
The Putin noose tightens.
 

ExecutiveOrder

Level 2
Sep 21, 2021
55
Currently, the only web browsers that recognize Russia’s new CA as trustworthy are the Russia-based Yandex browser and Atom products, so Russian users are told to use these instead of Chrome, Firefox, Edge, etc.
I wonder how many (and how long until) AV products with encrypted connection scan features will recognize Putin's brand new CA as trusted and won't be surprised if Kaspersky will be among the first to recognize it.
 

Minimalist

Level 8
Verified
Well-known
Oct 2, 2020
383
I wonder how many (and how long until) AV products with encrypted connection scan features will recognize Putin's brand new CA as trusted and won't be surprised if Kaspersky will be among the first to recognize it.
Even bigger problem is how to persuade browser developers to add it to trusted certificate list. So far only Yandex does it and I doubt that others are eager to do it.
 

rami.abbas

New Member
Mar 11, 2022
0
I doubt that others are eager to do it
Agreed! With the current tension and sanctions among these nations, I doubt that other browser would accept their new certificate.
Plus, Signing authorities based on countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates.
 
Last edited:

ExecutiveOrder

Level 2
Sep 21, 2021
55
Russian media has also been circulating a list with 198 domains that reportedly received a notice to use the domestic TLS certificate, but for now, its use hasn’t been made mandatory.
I've checked some domains on the domain list that can actually load, most of them are recently renewed premium from various CA or free (Let's Encrypt) certificates (issued from mid-January to 7th March) and I didn't see anything from Russian Trusted Root CA.
The Central Bank of the Russian Federation (cbr.ru) for example, is using GlobalSign cert issued on 1st March (expires on 2nd April 2023).
Looks like some of them were ready for this.
 
  • Like
Reactions: Venustus