Russia Force-Feeds new, ‘Trusted’ CA—Yeah, RIGHT

Websites in Russia can’t renew their TLS/HTTPS certs. That’s because Western sanctions prevent them from paying the trusted certificate issuers.

Moscow’s solution is to create a new certificate authority and issue its own certificates. Then they need to “persuade” web users to install the CA’s root cert in their browsers. Or simply switch to a Russian browser, such as Yandex’s Chrome clone, Яндекс.Браузер.

But the man-in-the-middle threat should be obvious. In today’s SB Blogwatch, we walk away.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: How all YouTube ads sound.


What’s the craic? Bill Toulas reports—“Russia creates its own TLS certificate authority to bypass sanctions”:

Man-in-the-middle attacks
The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates. … After a certificate expires, web browsers … will display full-page warnings that the pages are insecure, which can drive many users away from the site.

However, for new Certificate Authorities (CA) to be trusted by web browsers, they first needed to be vetted. … Currently, the only web browsers that recognize Russia’s new CA as trustworthy are the Russia-based Yandex browser and Atom products. … As Russia is not currently enjoying any level of trust, it is unlikely for the major browser vendors to add them.

Users of other browsers like Chrome or Firefox can manually add the new Russian root certificate. … However, this raises the concerns that Russia could abuse their CA root certificate to perform … interception and man-in-the-middle attacks.

So Simon Sharwood says, “Moscow to issue HTTPS certs to Russian websites”:

It’s rather easy for Kremlin spies
A notice on the government’s unified public service portal states that the certificates will be made available to Russian websites unable to renew or obtain security certificates [because] of Western sanctions. … Delivery of the certificates is promised within five days of requests.

[But I] cannot imagine any of the mainstream browser devs will rush to make these Russian certs work in their applications. … It’s rather easy for Kremlin spies to intercept, decrypt, and snoop on connections encrypted using certificates issued by the government. The more websites using Moscow-issued certs, the more connections Putin’s agents can quietly monitor.

What’s the problem? Seems completely innocent to Nextgrid:

They could simply be preparing for Let’s Encrypt or the other for-profit CAs deplatforming them.

But squiggleslash doesn’t trust it:

That’s not what's happening here
It’s not a solution looking for a problem, it’s just the problem isn’t what the Russian government says it is. This is really about Russia breaking HTTPS.

That said, with the best will in the world, I can’t see a country that’s about to see itself being completely isolated from the rest of humanity ignoring a possible future in which it cannot get certificates. It’s just—that’s not what’s happening here.

And VILEATORVA agrees:

Seems like they could have just switched to Let’s Encrypt certs, instead of trying to pay for foreign certs. Definitely seems like a move to bolster TLS interception capability.

ELI5? jessechahal explains like I’m five:

They can create a secure/encrypted connection
A Certificate authority is someone/group that can create certificates for … websites. Anyone can create a certificate authority in 10 seconds. … For instance it is common for corporations to create their own certificate authority and create certificates for their local intranet corp sites. The problem is that browsers need to trust this certificate authority.

Certs do two things: Create an encrypted connection, and prove that the website has payed/bribed a CA for a cert. Since Russian sites cannot bribe/pay western companies for a cert and because they are cutting themselves off the internet they (probably) will not be able to access free certs from Let’s Encrypt.

With a cert, a browser can create an encrypted connected between itself and the website. If a person tries to listen in the middle they just get “gibberish” because it’s encrypted. [But] if the Russian government is acting as the CA … they have access. … They could theoretically change the contents the website sends to the browser because they can create a secure/encrypted connection.

But whatabout the U.S? Trust systemd-anonymousd to allege an allegation:

As opposed to the US government and Five Eyes, which dEfInItElY dOn’T have copies of root certs with gag orders attached, trust me.

Meanwhile, Daniel Cuthbert sets the Wayback machine to Stun:

Red star OS springs to mind. … This is turning into a truly miserable time for ordinary people in Russia. [They] are effectively back to North Korean intranet.

And Finally:

Don’t you want a spatchcock letterbox custard bucket?

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Eduardo Casajús Gorostiaga (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 546 posts and counting.See all posts by richi

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)