You Should Not Trust Russia’s New “Trusted Root CA”

Fight Censorship, Share This Post!

Last week, Russian citizens began receiving instructions to either download a government-approved web browser, or change their basic browser settings, according to instructions issued by their government’s Ministry of Digital Development and Communications.

On the one hand, these changes may be necessary for Russians to access government services and websites impacted by international sanctions. Nonetheless, it is a worrying development: the Russian state’s stopgap measure to keep its services running also enables spying on Russians, now and in the future.

The Internet governance entities ICANN and RIPE rejected Ukraine’s requests to revoke Russian top-level domains, access to Domain Name System root servers, and its IP addresses. However, international sanctions have heavily impacted Russia’s internet infrastructure. In part, this has happened because Certificate Authorities (CAs), the trusted notaries that underpin data security on the web, have begun refusing orders from domains ending in “.ru”, and have revoked certificates from Russia-based banks. Because international CAs like Digicert and Sectigo have largely stopped working for Russian websites, the Russian government has stepped in and suggested that citizens install its “Russian Trusted Root CA.”

While the capabilities of Russia’s new root certificate authority are not completely clear, the certificate is valid for ten years. It has the capability not just to issue certificates for domains; it can also inspect the traffic of the users who communicate with those domains.

The new “Russian Trusted Root CA” won’t expire for 10 years

Although this new state-sponsored root CA was apparently prompted by the international sanctions against Russia, the Russian government has long shown signs of wanting more control over internet infrastructure. Russia passed a “sovereign internet” censorship law in 2019, and last year the Russian government ran a test to see if it could disconnect from the global internet.

The internet isn’t just transmission lines and data centers. Internet infrastructure also includes technical services like Domain Name System resolvers, CAs, internet gateways, and domain registries. It will be difficult for the Russian state to create entirely domestic, state-controlled versions of all of these services. But the incentives to try are growing. For example, networking hardware manufacturer Cisco recently cut ties with Russian firms in response to the invasion of Ukraine, making it clear that Russia can’t count on Cisco to aid in domestic surveillance and censorship (Ironically, Cisco has had no compunctions about assisting other regimes with censorship, and indeed had a central role in developing the custom technology needed to build China’s “Great Firewall”).

Some version of a self-contained national internet—a so-called “splinternet”—may be described in terms of domestic self-reliance, but it inevitably comes with opportunities for state surveillance. Russia isn’t the first country to try this. In 2019, Kazakhstan attempted dragnet surveillance with its own root certificate. The Iranian state has proposed a bill to control “international gateways,” so the country’s outbound traffic would be directed through an ad hoc agency controlled by the armed forces and security agencies. In the EU there’s a proposal to mandate government CAs in browsers, with no ability to challenge or guarantee browser security and autonomy – in the name of user safety. These are all attempts to create borders within the internet, and they set dangerous templates for other governments to execute.

We do not know when or if Russia will disconnect itself from the foreign internet—or if that’s even possible. But for the people of Russia, including the many who oppose the invasion of Ukraine, digital security has already been put at risk. The certificate authority Russians have been ordered to install paves the way for a decade of digital surveillance, with the power to bypass the cryptographic privacy measures every internet user relies on.


Fight Censorship, Share This Post!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.