Russia Creates Its Own TLS Certificate Authority To Bypass Sanctions

Russia has created its own trusted TLS certificate authority (CA) to solve website access problems that have been piling up after sanctions prevent certificate renewals. From a report: The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates. [...] The Russian state has envisioned a solution in a domestic certificate authority for the independent issuing and renewal of TLS certificates. "It will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analogue.

The service is provided to legal entities -- site owners upon request within 5 working days," explains the Russian public services portal, Gosuslugi (translated). However, for new Certificate Authorities (CA) to be trusted by web browsers, they first needed to be vetted by various companies, which can take a long time. Currently, the only web browsers that recognize Russia's new CA as trustworthy are the Russia-based Yandex browser and Atom products, so Russian users are told to use these instead of Chrome, Firefox, Edge, etc.

Doesn't matter.

[MachineShedFred]

And until they also produce their own operating system which trusts that CA that gets deployed onto every single device in Russia, as well as their own browser that trusts that CA, they'll still get certificate errors out the ass. Oh, and every web site and TLS connection will need a signed certificate from this CA to present, which isn't going to happen any time soon.

Anyone can run their own CA - there's open source implementations everywhere and has been for a couple decades. It's trusting the root and

Re:

[S_Stout]

Basically nothing will be secure and the Russian government will see everything.

Re:

[Catvid-22]

Some sneaker net might fix this. Distribute thumb drives containing the new certificates, along with software like Tor. The main problem then would be trusting the messenger.

Re: Doesn't matter.

[saloomy]

No. That is not how CAs work. Having the root certificate does not grant you access to decrypt anything encrypted with dependent certs. The best a controller of the root cert can do is issue false certificates, but that is the fastest way to get the offending root out of cert stores that ship with browsers and operating systems.

Re:

[omnichad]

Yeah. They will issue false certs to sniff traffic. Browsers and operating systems that aren't under Russia's control won't trust the CA anyway.

Re:

[Catvid-22]

Oops. I totally misread the problem. I was thinking of self-signed certificates, a solution to an altogether different problem.

Sneaker nets aren't cheap

[rsilvergun]

and neither is the downtime due to latency.

Re:

[systemd-anonymousd]

As opposed to the US government and Five Eyes, which definitely don't have copies of root certs with gag orders attached, trust me.

Re:

[omnichad]

Basically nothing will be secure and the Russian government will see everything.

CAs sign the public key, not the private key. This doesn't give them the ability to decrypt anything. Just proves that the public-facing server has the correct keys that match the CA registration. That said, they could issue certificates for themselves to perform MITM and they would look identical except that the public key wouldn't match what your server is using.

Re:

[FuegoFuerte]

...which I think is precisely what the OP meant by saying "the Russian government will see everything." If they want to perform a MITM attach, and control the root CA, they can generate fake certs for themselves any time they want and MITM pretty much anything they want.

Most likely they won't care about things like banking, as they already own the banks or have direct access to their data. They'll be interested in things like social media (if they don't already have a backdoor there), etc.

Re:

[arglebargle_xiv]

In Putinist Russia, state pwn you!

Re:

[TomGreenhaw]

Not a problem if all mainstream browsers don't trust this CA.

Re: Rather, it does.

[saloomy]

They should by default trust no CA, and the user should be the one to initiate a root of trust by trusting the roots they see as trustworthy, and installing those certs into a cert store.

Re:

[jonbryce]

Not actually a good idea, because most people will be conditioned to install any root certificate they are told to install.

Re:

[edis]

User does have control over certificates kept, whether they are prepopulated, or not.

Re:

[tgeek]

Seriously??? How is the average person going to make even a minimally informed decision about which CAs to trust??? From a facebook post or youtube video? LMFAO

Re:

[Cowardly Lurker]

You can trust mine, it has 4096 bit government grade encryption keys!!!

openssl req -x509 -new -nodes -sha256 -newkey rsa:4096 -keyout RootCA.key -days 9999 -out RootCA.pem -subj "/C=CA/ST=Trustmemkay Oblast/O=Ruscomcertzor/L=Legitnesstan/CN=OboyImaCA Root Certski Z69"

Now.. who want's a signed cert? (paste your CSR below)

Re:

[MachineShedFred]

Yeah, because my boomer mother is going to want to figure out how to know what CAs to trust, and which not to. Corporations don't even bother with that shit, and you want a few billion people to, on their computer / phone / every IoT device in their home?

That's a really dumb plan.

Is Russia cut off from Lets Encrypt?

[kunwon1]

Seems like a solution looking for a problem if not

Re:

[Kernel Kurtz]

Is Russia cut off from Lets Encrypt?

Not yet, but they should be.

Re: Is Russia cut off from Lets Encrypt?

[saloomy]

No, they should not. The government domains? Sure. But we do not need a fragmented web. No thank you. What the government is doing in Ukraine is atrocious and people should be on trial for war crimes. Quite frankly I wouldnt be opposed to giving the Ukrainians a few B83 nuclear bombs and a few B2 spirit bombers and telling Putin your move. But we do not need to cut the entire country of Russias businesses and populace off. This will just end up with a segregated network ; which the internet was supposed to

Re:

[dynamo]

At the very least every country bordering Russia and Ukraine should be given (not loaned) a few of those, under their direct and exclusive control, and a continuous feed of the most up-to-date intelligence on where Russia's leadership is physically. What you are suggesting should have been done the moment Russia started putting troops on the border near Ukraine.

Re: Is Russia cut off from Lets Encrypt?

[alexgieg]

Technically, that's what being a NATO country gives you. Not directly, but being one means you'll have the option for the US installing bases on your country, plus coverage from US submarines.

This is what Putin alleges as the main reason for his invasion of Ukraine, to prevent it from becoming a NATO country and thus get precisely those things. Not that this is true, mind, its evident he want a Russian Empire and is using this as a mere useful justification. Still, it's something he can point his finger at,

Comment removed

[account_deleted]

Comment removed based on user account deletion

Yeah I have my own CA too

[pak9rabid]

With blackjack & hookers! Too bad nobody else recognizes it as a trusted CA though :(

Good for Them!

[oldgraybeard]

So if no one trusts it, does it matter?

Re:

[NateFromMich]

So if no one trusts it, does it matter?

Have you ever trusted anything on the internet from Russia?

Nice for the Governement!

[olddoc]

It moves people to the Yandex browser and their CA. I'm sure the Russian people will have a safe, secure and open internet experience with no interference or spying!

In Russia

[mugnyte]

the CA authorizes you, not the site

This is playing in to the CCP's hands.

[waspleg]

They would like another hermit kingdom to be the gatekeeper of. Maybe Putin won't live long enough to see that happen though.

Kremlin-in-the-Middle Attack

[crow]

If the Russian government controls a trusted root certificate, then they can snoop on all the https traffic in the country. They can issue their own certificates for Twitter, Facebook, Google, and such, and then intercept all connections, decrypting them in the middle. So private messages will all be visible to the government.

Re:

[tlhIngan]

If the Russian government controls a trusted root certificate, then they can snoop on all the https traffic in the country. They can issue their own certificates for Twitter, Facebook, Google, and such, and then intercept all connections, decrypting them in the middle. So private messages will all be visible to the government.

Only if you're using something that trusts that CA. If you use a mainstream browser like Firefox, Edge, Chrome, or many others, they won't trust the Russian CA and visiting those sites

Re:

[Z00L00K]

You can install additional trusted CAs to existing browsers, that's normal within corporations today.

Even some anti-virus solutions do this.

So no need to hack the browser.

A More Interesting Question

[tgeek]

A Russian state created CA merits the implied facepalm https://i.kym-cdn.com/photos/i... [kym-cdn.com]

What be more interesting is the non .RU domain names that expire while the owner cannot renew them due to sanctions How soon do those become available to purchase by 3rd parties after expiration?

Re:

[Gravis Zero]

How soon do those become available to purchase by 3rd parties after expiration?

That's entirely up to the domain registrar. It's likely they will snatch up the valuable ones themselves and auction them off while letting anyone grab the others.

Let me guess

[backslashdot]

You get your private key from them too, and they will of course store a copy of it for "safekeeping." What a convenient service.

Transport Layer "Security"

[devslash0]

Ah, what a perfect opportunity to backdoor all Russian web traffic. Russian security agencies must be celebrating right now.

Re:

[narcc]

If you have their root certificate setup on your computer, they can easily produce fake certificates for any website, and thus successfully perform a MITM attack. This is likely what devslash0 is talking about. Well, I hope so, anyway.

Name constrained CA

[octagon]

I use name constrained CAs all the time when trusting third party corporate CAs.

All we need to do is recognize that Russia owns .ru and .su. Then cross-sign the Russian CA.

Why is everyone keep on thinking going down the path of a unconstrained CA? Here is a sample policy .inf file one could use. The downfall is not every implementation supports constrained CAs, but it is pretty widely support nevertheless and this would definitely spur on a more wide acceptance of this practice.

Here is a sample policy.in

Re:

[Z00L00K]

And what if the .com domain owner is hacked?

The PKI structure is definitely flawed because it assumes that the CA can't be penetrated.

Re:

[octagon]

You don't like the idea of a constrained CA because I posted a policy that didn't do in depth documentation? Agreed the documentation for the policy.inf file that you can apply to a cert doesn't exist. But the policy does work. Sorry but I'm not going to post a massive tutorial on the nuances of cross signing CAs which is a fairly common practice on slashdot.

Instead you have suggested an alternative idea (which isn't a bad idea either). However what you have suggested does not exist in any technical man

Well, leadership really makes the difference

[burni2]

Russia ..

- vast country
- deep rooted rich cultural history (watch the side-by-side picture of King George and Zar Nikolaus II)
- rich in resources ranging from energy(gas, oil, coal, uranium) to Titan(see boeing), Gold, mineral fertilizer
- rich in natural resources - along with Ukraine (see the wheat price rally)
- well educated people / really good at math
- well educated engineers / yes their weapons systems (the demonstrators and export-version) are very good
- USA use(d) russian rocket motors!
- USA relied on russian rockets to man the ISS

Russia could be self-susstaining and at the same time rivalling China instead of being demoted from junior partner to junior-junior partner and on the brink of bankrupcy.

But in the end a moron in charge can turn gold into shit to ruin everything.

Re:

[MeNeXT]

Don't congratulate ourselves too quickly. A moron was in charge in the US and almost trashed the constitution and the democracy. The fight is still going on and there is a chance he will be back in the next election. The tactics that you see in Russian are evident all over the world especially in the US. I don't see any reason to be smug on the situation.

Re:

[DVLNSD]

Russia ..

- vast country - deep rooted rich cultural history (watch the side-by-side picture of King George and Zar Nikolaus II) - rich in resources ranging from energy(gas, oil, coal, uranium) to Titan(see boeing), Gold, mineral fertilizer - rich in natural resources - along with Ukraine (see the wheat price rally) - well educated people / really good at math - well educated engineers / yes their weapons systems (the demonstrators and export-version) are very good - USA use(d) russian rocket motors! - USA relied on russian rockets to man the ISS

Russia could be self-susstaining and at the same time rivalling China instead of being demoted from junior partner to junior-junior partner and on the brink of bankrupcy.

But in the end a moron in charge can turn gold into shit to ruin everything.

- deep rooted rich cultural history - not anymore. Times of Nikolaj were pretty much the peak. It's all very fast downhill from there. Yet they cling to those times every time you talk about culture or heritage ignoring everything that happened afterwards.

- well educated people / really good at math - just a few and they already live outside russia.

- USA relied on russian rockets to man the ISS - yes, because russia started it and kept their monopoly. Now it's gone and life goes on. Should be pretty awkward

sounds like men-in-the-middle attach

[kiviQr]

Who would trust that cert? IMHO it should be blocked by all browsers.

Re:

[whoever57]

Who would trust that cert? IMHO it should be blocked by all browsers.

The same people who believe the Russian state media about what is going on in Ukraine.

The same people who use the Yandex browser.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

DNSSEC DANE TLSA

[bustinbrains]

Multiple implementations should have been done in all major browsers and OSes 9 years ago - mere months after the IETF published RFC7671. We shouldn't even have root certificate stores today. Public CAs, including Let's Encrypt, should be ancient history.

Makes Piracy easier.

[Goatbot]

This just makes life easier for them to impersonate anything and anyone. If you also control the network and the dns servers then this is simple Simon stuff.