Russian TLS certs face Traffic interception and MitM attacks!
In the light of the current Ukraine invasion, Russia's domestic TLS Certificate Authority that bypasses Western sanctions replaces, revokes, and mends expired certificates faces a significant security threat.
Many Russian websites are unable to renew their certificates due to the restrictions imposed on foreign payments. Browsers have blocked access to sites that use an international signing authority.
Due to this, the Russian state has actively launched a domestic TLS certificate authority (CA) that helps websites issue and renew their TLS certificates hassle-free.
But here's the catch, the risks of Russian-owned and -issued TLS certificates include traffic interception and major man-in-the-middle (MitM) attacks.
Russian domestic CA to replace, revoke or renew expired foreign certs
TLS certificates encrypt data sent between browsers, websites, and servers. They are also known as SSL certificates or digital certificates.
As a result of an expiring certificate, browsers like Chrome, Safari, and Firefox alert users that the page may not be secure, which can drive users away.
Due to the restrictions imposed websites are having a hard time with their TLS certificate renewals. So, as per a Russian public-service announcement, the state promises will replace foreign security certificates that are being revoked or have expired absolutely free-of-charge upon request.
Browsing giants like Chrome and Firefox are yet to recognize these state-supplied certificates as trustworthy. However, the Russian media has circulated a list of 200 domains that have been asked to use the domestic TLS certificates, although it's not mandatory yet.
Read More: Risk of Not Having an SSL Certificate
Russian-issued TLS certs face security threats
"With the major certificate authorities revoking or simply not renewing the certificates for Russian businesses, they are left in a difficult position,” Mike Parkin, researcher and senior technical engineer at Vulcan Cyber, tells CSO.
He also emphasizes the unlikeliness of major browsers ever accepting the new Russian CA. This might be a problem for many Russian users too.
Many will have to still continue relying on their CAs as they're sanctioned by the government itself. Also, they are not well known for respecting user privacy or taking a strong stand against cybercriminals.
Ideally, if you cannot trust your CA, then you can’t trust their authorized certificates either. This is because they could be used in a MitM attack.
Yuval Wollman, the president of CyberProof and ex-director-general of the Israeli Intelligence Ministry exclaimed that if one wants to minimize the risk, they must keep their employees away from any Russian-issued TLS certificates. Questions were raised on their legitimacy and uncertain control.
He advised blocking access to sites using such Russian-issued TLS certificates with a blacklist until the situation can be reassessed.
Russia's “sovereign internet”
According to a Flashpoint blog post, Russia’s total disconnection from the global internet is imminent.
It states that this would happen under a 2019 Law on Sovereign Internet. In fact, they believe that disconnecting Russian internet infrastructure from the global internet would be a defensive move. However, it is introspective that this leaves a wide room for interpretation.
Flashpoint also suggests that this could make many websites that do not belong to Russia unreachable for Russian users. It might also create service degradation, and defeat evasion methods such as VPNs.
Moreover, many hackers are looking for solutions to bypass Russia's increasing state control over online traffic. They're trying to disconnect Russia altogether, says Flashpoint.
The analysts at Flashpoint also observed that threat actors suggested several workarounds of existing and potential future blocks that include:
A content bot on the forum offered software using anti-DPI technology. This would allow users to bypass the existing blocks by not leaving digital fingerprints that are typical of VPN, Tor, and proxy services. The DPI technology relies on blocking the use of such evasion techniques.
A VPN service on the YouHack forum claims to bypass DPI technology and prevent ISPs from logging DNS queries.
Users of the top-tier Exploit forum suggest using a Telegram bot that provides Tor bridges. Earlier, users suggested using a VPN-Tor-VPN combo to bypass blocks.
Conclusion:
The situation is tense for Russia's businesses and startup owners. This switch could benefit yet also exhaust the owners of their resources. Thank you for reading this blog! We'll be back with more information soon.
Top comments (0)