Due to the sanctions imposed by Western countries, mainstream CA institutions no longer provide services to Russia, and a large number of Russian websites have fallen into the dilemma that certificates cannot be updated;
The Ministry of Digital Development of Russia created a national CA agency to provide free alternatives to websites, using domestic certificates + domestic browsers to solve the problem of inaccessibility;
Russian media released a list of 198 domain names that have allegedly been notified of the use of domestic TLS certificates, but have not yet been enforced.
Russia has established its own trusted TLS Certificate Issuing (CA) authority to address the difficulty of accessing domestic websites caused by the inability to renew certificates under Western sanctions.
This round of sanctions imposed by Western countries and enterprises has led to the inability of Russian websites to update existing TLS certificates, and mainstream browsers currently prevent users from accessing websites with expired certificates.
TLS certificates help browsers determine that the target domain is a validated entity and ensure that the exchange of information between users and servers is encrypted.
How TLS certificates work
According to the content of the sanctions, certificate authorities in Western countries no longer provide paid services for Russia, and a large number of Russian websites are trapped in the dilemma that certificates cannot be updated.
Once the certificate expires, major browsers such as Google Chrome, Apple Safari, Microsoft Edge, and Mozilla Firefox will display a warning of "the current page is not safe" in full screen, so that some users will no longer continue to visit.
Domestic substitution
To this end, the Russian government decided to set up a certificate authority in the country, which is responsible for the independent issuance and renewal of TLS certificates.
Russian public service portal Gosuslugi showed that "foreign security certificates that have been revoked or have expired will be replaced." The Ministry of Digital Development will provide a free domestic alternative to the website. After submitting the application, each legal entity (i.e. the website owner) will receive the service within 5 working days. ”
The Russian government announced the provision of domestic certificates
The new certification authority (CA) also has to face a challenge of how to gain the trust of the browser. This needs to pass the review of various browser manufacturers, and the whole cycle may drag on for a long time.
At present, the only browsers that accept new Russian CAs are the Russian Yandex browser and Atom products. The Russian government calls on the public to use these products as much as possible to replace mainstream browsers such as Chrome, Firefox and Edge.
Websites that have begun to use Russian domestic certificates include Sberbank, the Russian Foreign Trade Bank (VTB) and the Central Bank of Russia.
Eligible site owners will receive the above notification
Security risks of manual trust
Users of browsers such as Chrome and Firefox can manually add new domestic root certificates and continue to browse Russian websites with domestically issued certificates.
There are concerns that Russia could abuse its root certificates to carry out HTTPS traffic blocking and man-in-the-middle attacks. In this case, once such abuse is discovered, the new root certificate will be included in the Certificate Repeal List (CRL).
Russian accredited root CA certificate
Once on the certificate cancellation list, these certificates will materially expire, resulting in websites that continue to be blocked from accessing major browsers such as Chrome, Edge, and Firefox.
Recently, Russia has taken a series of measures aimed at mitigating the impact of Western sanctions on its economy. Many believe that Russia's previous experiment of disconnecting from the global Internet has finally come into play, and that now is a good time to cut ties with the Internet and move to the "domestic big-picture area network."
In response to these rumors, Russia's Ministry of Digital Technology issued a statement to the domestic media, explicitly denying the idea of "detaching from the global Internet system".