As the war rages on between Ukraine and Russia, many countries and industries around the world are coming together to cut Russia off all the economic ties, and banishment from the cybersecurity sphere is no longer an exception as well. During the times of war, international certification authorities are unitedly joining forces to pressure Russia by refusing to allow popular Russian sites to renew TLS/ SSL certificates facing expiration soon.

TLS (Transport Layer Security)& SSL (Secure Sockets Layer) certificates are mostly applied to domains and used to enhance security via exchange of encrypted information between the user and the server. More specifically, when users access the sites with expired TLS/ SSL certificates through the most popularly used web browsers such as Google Chrome, Microsoft Edge, Mozilla Firefox, or Safari, a warning message pops up indicating it as a suspicious site. If verified TLS &SSL certificates are not used, the web-based business operations in all sectors including finance, IT, and e-commerce are highly likely to be disrupted, which can eventually deal a heavy blow to revenues.

Russia creates its own Certificate Authority to bypass sanctions

Because the international certification authority is not permitting certificate renewal, Russia have come up with a way of creating their own TLS Certificate Authority to recognize the TLS certificates. Upon accessing the CA website, if the foreign security certificate is revoked or facing expiration, a message pops up to notify that new state-issued certificates will be provided to site owners within 5 days upon request.

Russian Certification Authority CA website (https://www.gosuslugi.ru/tls)

Russia has now recommended more than 200 sites to use domestically created TLS certificates, but this notice does not state that it is mandatory. The website also posted a full list of domains with new certificates issued by Russian CA. The list includes popular sites such as Russian banks and major universities.

 

Partial list of domains that have been issued certificates in Russia (Source: gosuslugi.ru/tls)

Criminal IP ANALYSIS: Certification expiration status of Russian sites

We took a closer look at data collected from Criminal IP, more specifically, the statistics of sites using the Russian domain code (ru) from March 10th to 16th. When sanctions against certificate renewal were announced, it can be seen that the domains with expired certificates amount to 115,554, 94,072, 120,751, 121,820, 70,287, 6,980, and 4,012 in a row with a total being 533,476. Among them, many sites such as the Russian travel company(https://russian-tour.com/) and the shopping mall(www.santehnikavdom.ru) became hard to access from popularly used Chrome browsers.

As it stands, the total number of domains using .ru already reached 25,311,304 so far. Although 20 days have already passed after the initial invasion, if the war with Ukraine goes on for another week, a total of 1,318,388 sites are expected to be classified as unsafe, which implies that normal operations will be extremely hindered. So far as the war continues, the number is only expected to increase ever more dramatically.

Number of Russian sites with certificates expired in March

Russian CA’s effort that falls short of addressing global sanctions

To make matters worse, Russia’s response is insufficient as it fails to win the trust of international browsers. The newly launched Certificate Authority (CA) requires verification from each browser, and so far only Russian companies’ browsers such as Yandex and Atom are the ones publicly recognizing Russian certificates. However, there are other cases where access to the website is completely impossible, which basically means that the users cannot access the site just because the certificate has already expired.

Users who want to access the website through Chrome or Edge can manually add a Russian root certificate to access it, but even this approach is not much viable because there is a risk of the Russia’s HTTPS traffic interception attack taking place in the way. In a nutshell, even if a new Russian certificate is issued, it is necessary to verify the safety of the site and provide further guidance to prevent customer churn when accessing it through a Russian browser.

Below is a warning message that appears when potential users try to access the Russian travel site domain https://russian-tour.com/ through both Chrome and Yandex.

Warning page displayed when accessing russian-tour.com with Chrome

Warning page displayed when accessing russian-tour.com through Yande

Russia takes a hard beating from global companies

On the flip side regarding in the SSL/TLS issue, there also have been apparent attempts from Ukraine. Allegedly, Ukraine recently sent a request to ICANN, an international internet organization, asking it to remove Russian websites from the public internet. The request included revoking the TLS/SSL certificate, shutting down the DNS root servers, and revoking certain country codes and domains. While ICANN refused to do so, citing that it is an act overstepping their authority, many private companies such as Microsoft are actively stepping in to exclude Russia, for example by blocking Russian customers and suspending altogether business activities associated with Russia.

Regarding the matter, Russia’s Ministry of Digital Technology voiced concern that “Russian sites are being bombarded with cyberattacks launched overseas and this is an alarming trend with no end in sight”. In the wake of Russia’s recent shutdown of major social network services (SNS) such as Instagram and Facebook, the number of VPN(Virtual Private Networks) downloads is also unprecedentedly soaring within the country.

Russia’s expulsion from international organizations and companies illustrates how sanctions against the country at war and expression of indignation are directly translated into Internet disconnection in the cyberspace. They are likely to continue to isolate Russia for the time being as long as Russia carries on with unprovoked aggression on Ukraine despite worldwide opposition and dissatisfaction of its own people.


This article was written by drawing on data provided by Criminal IP. If you are keen to find out more about specific Criminal IP services as well as beta tester recruitment, feel free to head over to our LANDING PAGE that is NOW open!