DEV Community

Cover image for State SSL certificates — what are the risks
Grzegorz Piechnik
Grzegorz Piechnik

Posted on • Updated on

State SSL certificates — what are the risks

In the wake of Western-imposed sanctions on Russia in the form of access to websites, Russia has set up a state authority to issue TLS certificates. According to Gosuslugi's page, certificates would be issued in up to five days. But before we get into the dangers of state certificates, let's start at the beginning.

Man in the Middle attack

We have already described the MitM attack in article using the ability to create a custom Access Point to steal user data. In this connection, we will just remind you - MitM is an attack in which we intercept network traffic. These include HTTP requests that may contain sensitive data in the form of, for example, user passwords. Here, however, the problem begins - in order to succeed in such an attack, the HTTP request would have to be unencrypted (that is, they could not be HTTPS requests). So we get to the crux of the matter - HTTPS traffic must first be intercepted and then decrypted.

Certificate issuance vs. private/public key

Issuing a certificate usually works in such a way that we generate a public / private key pair locally, and then after sending the public key to the Certificate authority, it issues a signed certificate. In some cases, the generation of the key pair stands on the side of the Certificate Authority. This means that they may (or may not) keep a copy of the private key in their database. This is a security risk. Imagine a situation in which you have access to encrypted data and a private key. This could result in access to sensitive data.

Trusted sources

It is interesting that anyone can create their own certificate. But how does the user know that the issued certificate is from a trusted source? The web browser has the public keys of all the major CAs installed. It uses this public key to verify that the web server's certificate was indeed signed by a trusted certification authority (CA). The certificate contains the domain name and/or IP address of the [WWW] server(http://WWW).

This raises the question - will browsers like Chrome, Firefox and Safari recognize Russia's state certificates as trusted. In addition, it remains Worth remembering that we can manually add our own public keys. Why is this so important? Let's move on.

MitM in Kazakhstan, or history likes to repeat itself

At this point, it is worth recalling an example from Kazakhstan, when the Kazakh government created its root certificate in 2015. The government considered it a "national security certificate." In July 2019, Kazakh ISPs began informing their users that the certificate would have to be manually installed on users' devices.

To protect Kazakh citizens from having their online communications intercepted by the government, Google and Mozilla have blocked Kazakhstan's root CA in the Chrome and Firefox browsers. It is worth remembering that in the case of Russia, they have two government browsers - Yandex and Atom. So much in a nutshell. For more info, we refer you to wikipedia.

Sources

https://linuxhint.com/decrypt-ssl-tls-wireshark/
https://thehackernews.com/2022/03/russian-pushing-its-new-state-run-tls.html
https://bugspace.pl/straszny-atak-rogue-access-point/
https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_attack
https://linuxhint.com/decrypt-ssl-tls-wireshark/

Top comments (0)