Skip to main content
banner image
venafi logo

Russia Does Its Own TLS Certificate Authority to Get Around Sanctions: Machine Identity in Focus

Russia Does Its Own TLS Certificate Authority to Get Around Sanctions: Machine Identity in Focus

March 10, 2022 | Brooke Crothers

Russia has created its own trusted TLS certificate authority (CA) to solve website access problems as a result of sanctions that prevent certificate renewals, according to a report at Bleeping Computer. “The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates,” the report said.

Are you facing a machine identity crisis? Venafi can help you out.

Because of expired certificates, countries that have imposed sanctions on Russia can no longer accept payments for their services, “leaving many [web]sites with no practical means to renew expiring certificates,” the Bleeping Computer report said.

Digital certificates are used to validate the legitimacy of browsers. An expired certificate will trigger conspicuous warnings from Google Chrome, Safari, Microsoft Edge, and Mozilla Firefox browsers stating that pages are insecure, causing users to avoid a website, as Bleeping Computer points out.

If still used by websites, expired certificates are also a grave security concern as they put both encryption and mutual authentication at risk.

The reportquoting a translation from the Russian public services portal, Gosuslugiexplains the plans for a domestic certificate authority for the independent issuing and renewal of TLS certificates:

It will replace the foreign security certificate if it is revoked or expires. The Ministry of Digital Development will provide a free domestic analogue. The service is provided to legal entities – site owners upon request within 5 working days.” 

Instead of Chrome, Firefox et al Russian users are being told to use the Yandex browser and Atom products, the only web browsers that recognize Russia’s new CA as trustworthy.

But it will take time for the new Certificate Authorities to be trusted by web browsers. 

Russia keenly aware of sway that machine identities hold

“Certificate Authorities issue machine identities, like TLS certificates, that enable a browser and cloud to trust each other no matter where they are in the world,” said Kevin Bocek, VP, Ecosystem & Threat Intelligence, at Venafi.

Now the Russian government has taken the next step by introducing a Russian-based Certificate Authority for the internet.

“This new Russian Certificate Authority is a clear strike at privacy and freedom online because it could give the Russian government the power to surveil citizens and spoof any Western Internet service from Twitter to the BBC. It also could enable the government to essentially turn off the Internet for Russia,” Bocek said.

“Russian cybercriminals of all types have known the power of machine identities to escape detection for a long time. In the past, Russian cyber criminals have stolen machine identities to create backdoors to Ukrainian power plants with SSH keys or to get malware to run undetected with stolen code signing certificates,” Bocek added.

Russia could also create massive risk for itself

“The establishment of the new Russian CA also could create the possibility of a catastrophic single point of failure for Russian entities,” said Pratik Savla, Senior Security Engineer at Venafi.

“It’s safe to assume that this new CA will be a primary target of Anonymous and other groups that are currently waging cyberattacks against Russian entities. Unlike the rest of the world, both government and private-sector Russian sites and infrastructure don’t have a CAs, so if this one goes down or is compromised every website connected to it will be disconnected from the internet,” Savla said.

Related Posts

Like this blog? We think you will love this.
Featured Blog

Orchestration and Automation are Critical for Machine Identities

The challenges of identity-based zero trust security

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more