Russia Introduces Its Own Root TLS Certificate
Users of the Russian Federation’s government services portal (gosuslugi.ru) have received notifications about the creation of a state certification authority with its own root TLS certificate. This certificate is not included in the root certificate stores of operating systems or major browsers. The announcement was prepared by the Russian Ministry of Digital Development.
“Certificates are issued on a voluntary basis to legal entities and are intended for use in situations where TLS certificates are revoked or no longer renewed due to sanctions. For example, certification authorities under U.S. jurisdiction, such as DigiCert, have stopped providing certificates for websites of organizations on the sanctions list,” notes OpenNET.
Currently, the state root certificate is integrated only into Yandex Browser and Atom products. To ensure trust in websites using certificates from the state certification authority in other browsers, users must manually add the root certificate to the system or browser certificate store.
Who Is Using the New Certificates?
Among the sites that have already received state TLS certificates are various banks (Sber, VTB, the Central Bank) and organizations and projects affiliated with government agencies. However, at the time of writing, the main websites of Sber and VTB still use traditional TLS certificates supported by all browsers, but some subdomains (for example, online-alpha.vtb.ru) have already switched to the new certificate.
Potential Risks and International Response
If the new certification authority is forced upon users or if abuses such as MITM (man-in-the-middle) attacks are detected, it is likely that browser vendors like Firefox, Chrome, Edge, and Safari will take action to add the problematic root certificate to their lists of revoked certificates. This has already happened with a certificate introduced for intercepting HTTPS traffic in Kazakhstan.
Expert Opinions
Ivan Begtin, CEO of the InfoCulture NGO and head of the Association of Data Market Participants, notes that the possibility of sanctions against Russian government domains’ certificates (such as those ending in .gov.ru) has been discussed for some time. He raises the question of why Russia has not established a certification authority included in the trusted stores of operating systems like macOS, Windows, Android, and iOS:
“First and foremost, such a certificate would allow security agencies to intercept traffic by performing man-in-the-middle attacks on HTTPS connections. If mass revocation of certificates for government domains begins, Russia may try to distribute such a root certificate with recommendations for users to install it. But users who know it can be used to intercept traffic may be strongly opposed to installing it. Personally, I would definitely try to avoid it.”
Mikhail Klimaryov, Executive Director of the Internet Protection Society (OZI), explains:
“The entire certificate infrastructure is built on trust. We have to trust the certificate issuer not to forge anything, that there will be no leaks from the CA, and that no one can duplicate the server key and read all messages. Now let’s calmly think: do we trust this very Gosuslugi CA?”
Klimaryov reminds us that the Gosuslugi website was previously the source of leaks of personal data from participants in the Free Navalny project, and there were questionable actions with QR codes. For these reasons, he personally would not trust such a CA:
“And at the same time — those browsers that support this CA. They simply don’t care about user security. So we shouldn’t care about those browsers. And in the international community, there are already proposals to label the certificate as ‘dangerous’.”
He concludes: “Let me remind you, the community’s reaction to similar nonsense from Kazakhstan led to the shutdown of the ‘Kazakh-in-the-middle’ operation.”