Russia to create its own security certificate authority, alarming experts
Crippling sanctions from Western governments and companies have plagued Russia since it invaded Ukraine, leading in part to website access difficulties that have prevented renewal of Transport Layer Security (TLS) security certificates.
Browsers block sites with expired certificates. The Russians have responded to this turn of events by asserting this week that they will create their own domestic certificate authority.
Security experts are alarmed by the development because Russian government control over security certificates — which one technologist described as a “master key” to all online content in Russia — could dramatically enhance the Vladimir Putin regime’s ability to censor and manipulate online content. TLS security certificates are a fundamental internet security protocol used to secure web browsing, email, instant messaging and much more.
The Russian government posted an online message to its public services portal this week warning of its plans. The portal, known as Gosuslug, provides citizens and migrants with digital state and municipal services.
“On the portal Gosuslug there was an opportunity to obtain an electronic security certificate,” the Russian public services portal said of the TLS initiative, according to a Google translation. “It is clarified that they can replace the foreign security certificate for the site if it is revoked or expires. With the help of Gosuslug, the Ministry of Digital Development of the Russian Federation provides a completely free domestic TLS certificate.”
The Internet Society’s Joseph Lorenzo Hall said in an interview Friday that Russia taking over the so-called “root key” controlling all security certificate renewals in the country creates huge risks for the Russian people.
“In the past we’ve seen evidence of governments using something like this to be able to do mass surveillance,” sad Hall, a distinguished technologist at the international organization focused on Internet standards and policy. “What they’re basically saying is everyone needs to rekey their locks to be able to use the Russian master key, which allows them not only to eavesdrop on what you’re doing online, but to inject information … disinformation, or, more importantly, malicious things that might attack their enemies.”
Hall said he worries Russia will use their control over the root key to hack devices as a “beachhead” for further denial of service attacks, for example. Once Russia takes control of the security certificates, he said, all citizens will be vulnerable to surveillance and disinformation.
Russia has already been aggressive about curtailing web access. It has censored Western news sources and even Facebook, which it blocked access to last Friday after the platform placed restrictions on Russian state-owned media.
It is highly unusual for a country to take over the “root key” as Russia is planning to do, Hall said. He said the fact that Russians will be forced to install a device on their phones and computers in order to access the web at all is part of what makes the Russian effort so significant.
“If you can’t do certain things to live without installing the certificate, then you have no choice but to submit yourself to this kind of potential surveillance and interference from the government,” Hall said.
Sherrod DeGrippo, vice president of threat research at Proofpoint, expressed this sentiment in a tweet sent Thursday. “There are a few things you just don’t do,” she wrote. “You don’t roll your own encryption. You don’t try to make your own in house splunk. And you don’t create your own cert authority.”
DeGrippo said Russia’s taking over control for security systems will be a bonanza for the country’s spy agencies.
“The more sites and software apps that allow the Russian government certificate authority to be trusted, the more info and sensitive comms the Russian intel agencies can potentially intercept,” she said via email Friday.
The concern with Russia controlling security certificates is that the government can use that control as a cloak for “nefarious” behavior, said Allan Liska, a threat analyst at Recorded Future, a threat analysis firm.
“If you control the certificate authority, you could use that to launch man-in-the-middle attacks against people going to sites that maybe you don’t like,” Liska said in an interview Friday.
He said the Russian government also will now have much greater power to circulate disinformation inside Russia and to spy on dissidents.
“Ordinarily, you can’t spy on somebody because … I can see the sites they are going to, but I can’t see the traffic, I can’t see the actual content,” Liska said. “Now, with them controlling the certificate authority, there is a better chance that they can actually intercept the traffic and see what’s going on there, in addition to being able to redirect and launch man-in-the-middle attacks.”