Russia Creates Its Own TLS Certificate Authority to Avoid Sanctions

We now know that Russia had created its own trusted TLS Certificate Authority (CA) to solve the problem of access to its website, as sanctions prevented it from renewing certificates.

Портал государственных услуг Российской Федерации

Sanctions by Western companies and governments have prevented Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates.

Signing authorities based in countries that have imposed sanctions on Russia will no longer receive payment for their services, leaving many sites without the means to renew expired certificates.

When a certificate expires, web browsers such as Google Chrome, Safari, Microsoft Edge, and Mozilla Firefox display an insecurity warning on the entire page, driving many users away from the site

Therefore, the Russian state envisions a solution in the form of a national certification authority that independently issues and renews TLS certificates.

It replaces foreign security certificates when they are revoked or expire. The Ministry of Digital Development will provide a free domestic analogue. The service will be provided upon request within 5 working days to the corporate – site owner

But for a new Certificate Authority (CA) to be trusted by web browsers, it must first be vetted by each company, which can take a long time.

At present, the only web browsers that recognize the new Russian CA as trustworthy are the Russian-based Yandex browser and Atom products, so Russian users are being told to use these instead of Chrome, Firefox, Edge, etc.

Sites that have already received and are currently using certificates provided by this country include Sberbank, VTB, and the Central Bank of Russia.

Users of other browsers, such as Chrome and Firefox, can continue to use Russian sites that employ country-issued certificates by manually adding a new Russian root certificate.

In this case, however, we are concerned that Russia may misuse the CA root certificate to intercept HTTPS traffic and conduct man-in-the-middle attacks.