Russian Security Certificates May Open New Doors for Surveillance, Experts Say
The Russian Ministry of Digital Development has announced that instructions for installing Russian security certificates on user devices are now available on the government services website. According to the ministry, “These certificates will ensure website accessibility in any browser for users of all operating systems.” The certificates are also available to legal entities—website owners—and using a Russian TLS certificate guarantees access to resources in “Yandex Browser” and the “Atom” browser.
The authorities explain the need for these certificates as follows: “In March, foreign companies began revoking security certificates from Russian websites. When users tried to access these sites, they saw warnings about the resource being unsafe. Switching to Russian TLS certificates will ensure independence from foreign certification authorities and guarantee users secure access to all resources.”
However, experts interviewed warn of serious risks for users who choose to install these certificates in their browsers.
Expert Opinions: Security Risks and MITM Attacks
Blogger and IT specialist Ilya Vaitsman explains that government resources will simply be switched to domestic certificates “by government order—that’s all.”
“The problem is that the Ministry’s certification authority (CA) is not recognized by any modern browser,” he says. “So, to work with government services, Sberbank, or mos.ru, you’ll either have to use Yandex Browser or Atom, which recognize the Ministry’s CA, or import the root certificate into your system. After that, it’s a matter of trust in the Ministry and all subordinate levels.”
But users who decide to install such certificates expose themselves to significant risks:
“In theory, having access to the certificates allows for a MITM (Man-in-the-Middle) attack on traffic, which would be hard for the user to detect. Something similar—a forced installation of a government certificate—was attempted in Kazakhstan a few years ago to read all traffic. As I recall, Google and Mozilla simply blocked the Kazakh certificate in their browsers.”
Vaitsman also warns, “An additional ‘bonus’—the Russian internet with these certificates will become inaccessible to foreign users, except for those who go out of their way to address this.”
Why Are Users Being Asked to Install Government Certificates?
When asked why users are being encouraged to install government certificates, Mikhail Klimaryov, executive director of the Internet Protection Society (OZI), said the main question is “why?”
“Because all certification authorities refused to work with Russian government organizations under sanctions, including Sberbank,” he explains. “Everything is tied to a large international infrastructure, and there are only a handful of CAs that issue certificates. All of them refused to work with our government agencies. Sending unencrypted banking or other important information is very dangerous, as it can be intercepted, so the decision was made to create our own signed certificates.”
“Information transmitted during banking operations, government services, etc., is encrypted with keys using very complex algorithms,” Klimaryov continues. “Simply put: there’s a CA that issues a certificate, and when your browser tries to connect to a resource protected by this certificate, the browser gets a public key, then checks with the CA to verify that the key belongs to the domain you’re connecting to. Without this, information wouldn’t be encrypted and could be intercepted by any hacker, who could, for example, steal your Sberbank password or forge it.”
Since CAs refused to work with Russia and the authorities never managed to create their own recognized CA, the Ministry of Digital Development came up with its own mechanism. But, as Klimaryov notes, all known browsers do not recognize this CA, so the authorities have to force the installation of the certificate. The only browsers developed in Russia—Yandex Browser and Atom—already support this.
Recommendations: Avoid Installing Government Certificates
Klimaryov states that OZI strongly advises against installing the government certificate in any other browsers:
“This is similar to what was attempted in Kazakhstan. If you have such a root certificate, you could potentially conduct a MITM attack. So we recommend not installing this certificate in your work browsers.”
“If you really need to use Sberbank or government services, it’s better to use a clean Yandex Browser. But, of course, it shouldn’t be used for anything else. In principle, it shouldn’t be used at all. It’s not secure,” the OZI executive director adds.
Ilya Vaitsman also notes, “If they add ‘GOST cryptography’ to this, it will make things even more complicated for browsers. For now, it seems they haven’t. On various tender platforms, it’s already being used, so you have to use either Yandex or a Chromium-GOST mutant (which is a bit safer, in my opinion).”
Potential Risks for Government and Banking Apps
When asked about the risks for government and Sberbank apps, and whether this could lead to new data leaks, Vaitsman responds:
“What data is there to leak? They only work with their own bank, and banks already leak data constantly. However, if they manage to intercept sessions, it could be unpleasant—the only hope is for transaction confirmation via SMS codes. But that’s not always used.”
He adds, “Reports say the Sberbank app (at least) uses classic SSL/TLS. If so, it’s not clear the app will work without installing the Ministry’s root certificate on your phone. This could make your phone completely insecure. Ideally, you’d need a separate phone for mobile banking, and not use it for anything sensitive—not even messaging.”
“Maybe everything is already set up inside the app and just needs an update, but that’s not certain. We’ll know by September 29,” he suggests.
As an alternative, he proposes using a VPN with customizable filtering: “Like Psiphon (which works after updating to v.359). Let banking apps connect directly, and route everything else through the VPN. Let them try to catch a galloping horse,” Vaitsman concludes.