In response to President Vladimir Putin’s invasion of Ukraine, many western governments have imposed sanctions that have prohibited companies from conducting business with Russia.
Among these companies are public third-party certificate authorities (CA) who issue digital certificates for websites to validate a website domain to enable greater trust in online communications and transactions.
What it means
Before the invasion of Ukraine, websites of many companies based in Russia would procure and renew TLS certificates via third-party authorities such as DigiCert or GoDaddy. However, the growing number of sanctions imposed on Russia means that these websites will be unable to renew certificates; their sites will stop being trusted by web browsers. As a precautionary feature, modern web browsers will block access to those sites or – at the very least – issue browser warnings that may deter consumers from sites.
In response, Russia has established its own domestic CA to issue TLS certificates. While under different circumstances, this is not a unique initiative. Other states have attempted to do so, each with reasons of their own, but seldom with the objective of enhancing online trust. This move sparks concerns that the Russian people will be more vulnerable to cyberattacks and snooping from their own government.
Why it matters
It’s clear that the Russia-Ukraine conflict has an impact on all fronts and in all realms. In Ukraine, the lives and livelihoods of innocent people are at severe risk. In both Ukraine and Russia, freedom is under siege, including those that exist within the digital landscape.
While the conflict has severely disrupted the lives of citizens, it has not put a pause on business needs. Businesses within Russia must continue operating and a key component of this depends on their ability to run their website securely with digital certificates – exposing Russian dependency on the system of trust that has been established on the Internet over the past 20+ years.
Russia establishing its own state-run CA raises a myriad of concerns. The first pertains to digital freedom and data privacy. In Russia, where fears of cybercrime and repressive surveillance are rampant, the implications of control over citizens and the Internet within Russia are far-reaching.
With a “state friendly CA”, it’s possible for a government to intercept a person’s attempt to reach a given site and do anything from eavesdropping communications to replacing a site with their own (fake) webpage. In turn, this provides an opportunity for the government to launch spyware that monitors a user’s activity on a given website.
The second major concern is more operational in nature. CAs confirm that a domain belongs to a verified entity, meaning they must be recognized by web browsers as trusted and legitimate. Currently, only two browsers recognize Russia’s new CA as trustworthy: the open-source Atom and Russia-based Yandex.
Blocking Russian businesses from procuring publicly trusted certificates will have an overall negative impact on Internet security and, therefore, businesses in Russia, as citizens are unable to do things like shop, pay taxes, or conduct online banking.
The bigger picture
Nation-states have already faced serious supply chain disruptions caused by the COVID-19 pandemic. And with many global economies severing ties with Russia and local production out of Ukraine coming to a halt, these disruptions are only expected to worsen.
Many world leaders are looking to reduce their country’s dependence on the global supply chain. For example, countries like the United States are looking into energy independence, to solve the need to import petroleum and other foreign sources of energy.
Decisions like these should not be taken lightly. When it comes to the digital realm, the longer-term impact could fundamentally change the Internet, which has always been an open and accessible platform. An open Internet is dependent on the interplay between technical, business, and political factors. Putting up “borders” on the global Internet has serious repercussions.
The Certification Authority Browser Forum, also known as the CA/Browser Forum, is a collaborative body between CAs and popular web browsers like Firefox (Mozilla), Chrome (Google), Safari (Apple), and Edge (Microsoft).
In essence, the voluntary consortium regulates the trust supply chain that backs the security of the Internet – in this case, the Forum governs the issuance and management of publicly trusted certificates. Restricting who member CAs issue certificates could mean a less open Internet.
As it stands currently, the Russian-created CA is not trusted by any major browsers and the process of gaining accreditation takes months – that is, should the CA/Browser Forum or Russia even be interested in pursuing that action.
However, as the longer-term impacts of these supply chain disruptions take effect, nations must consider whether their organizations will be able to effectively manage roots of trust before – or when – they roll out their own CA service. Doing so will introduce new challenges for organizations to work with the CAs in those regions – especially as they create digital certificates for authenticating information shared online.
As the CA and trust landscape inevitably changes, cryptography plays a significant role in any digital service. Without the ability to encrypt, and thus secure, data transmissions over the internet, so much of what we do online would be impossible. In light of these new issues, cryptographic agility – the ability to quickly and easily change processes to encryption, signatures, and certificates – will be imperative for businesses that wish to operate in the modern age.
Regardless of how the landscape evolves, the creation of Russia’s CA raises important questions about the future of the Internet – and demands that organizations re-think their ability to adapt to these changes and remain crypto-agile as continue to securely conduct business.