As a result of restrictions preventing certificate renewals, Russia has established its own trustworthy TLS certificate authority (CA) to address growing website access issues.

Due to the restrictions put in place by western businesses and governments, Russian websites are unable to renew their TLS certificates, which results in browsers blocking access to sites with expired certificates.

TLS certificates assist the web browser in verifying that a domain is associated with a recognised organisation and that information being transmitted between the user and the server is encrypted.

The inability of signing authority situated in nations that have placed sanctions on Russia to accept fees for their services prevents numerous websites from being able to renew their expired certificates.

Web browsers including Google Chrome, Safari, Microsoft Edge, and Mozilla Firefox may display full-page warnings that the sites are vulnerable once a certificate expires, which may cause many people to leave the website.

A national authority

For the autonomous issuance and renewal of TLS certificates, the Russian government has envisioned a local certificate authority as a potential option.

If the foreign security certificate is revoked or expires, it will be replaced with this one. A free domestic analogue will be offered by the Ministry of Digital Development. According to the Russian public services web Gosuslugi, the service is offered to legal entities – site owners upon request and is delivered within 5 working days (translated).

However, it might take a while for new Certificate Authorities (CA) to pass scrutiny from various businesses before being trusted by web browsers.

The Yandex browser and Atom products from Russia are the only web browsers that now acknowledge Russia’s new CA as reliable, thus Russian consumers are advised to use them rather than Chrome, Firefox, Edge, etc.

Sberbank, VTB, and the Russian Central Bank are among the websites that have previously obtained and are already utilising these state-provided certifications.

A list of 198 domains with a notification to use the local TLS certificate has purportedly been distributed in Russian media, but its usage is not now required.

A questionable proposition

Users of other browsers can manually apply the new Russian root certificate to keep accessing Russian websites that use the state-issued certificate. Examples of these browsers include Chrome and Firefox.

However, this raises fears that Russia may misuse its CA root certificate to carry out man-in-the-middle attacks and intercept HTTPS data.

The new root certificate would eventually be added to the list of certificates that have had their validity revoked as a result of this misuse (CRL).

As a result, Chrome, Edge, and Firefox will prohibit access to any websites utilising these domestic certificates, rendering them invalid.

All parties are obliged to trust certificate authority. However, it is doubtful that the main browser vendors will add Russia to their root certificate stores given that it does not already have any level of confidence.

To mitigate the negative effects of Western sanctions on its economy, Russia has taken some extreme steps. Many have assumed that the moment has come to shut off communication with the world internet and move its users to the “Runet.”