Amidst the ongoing conflict between Ukraine and Russia, nations and industries worldwide are uniting to sever economic ties with Russia. The cybersecurity sector is no exception. During times of war, international certification authorities are collectively pressuring Russia by refusing to renew TLS/SSL certificates for popular Russian websites nearing expiration.
TLS (Transport Layer Security) and SSL (Secure Sockets Layer) certificates are primarily used for domains to enhance security by enabling the exchange of encrypted information between users and servers. When users try to access sites with expired TLS/SSL certificates using popular web browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, or Safari, a warning message indicates that the site is suspicious. Consequently, the absence of valid TLS and SSL certificates can cause significant disruptions to web-based business operations in the finance, IT, and e-commerce sectors, ultimately affecting revenue streams.
Russia Establishes Self-Operated Certificate Authority to Circumvent Sanctions
In response to the refusal of international certification authorities to renew certificates, Russia has taken the initiative to establish its own TLS Certificate Authority for validating TLS certificates. When accessing the CA website, if a foreign security certificate is revoked or nearing expiration, a notification message informs users that new certificates issued by the state will be made available to site owners within five days upon request.
Russian Certification Authority’s website (https://www.gosuslugi.ru/tls)
Russia has recommended over 200 websites to utilize domestically created TLS certificates, although it is not stated as mandatory. The Russian Certification Authority’s website has also published a comprehensive list of domains that have received new certificates from the Russian CA. The list includes popular websites, including Russian banks and prominent universities.
Partial list of domains that have been issued certificates in Russia (Source: gosuslugi.ru/tls)
Certificate Expiration Status of Russian Sites
We conducted an in-depth analysis of the data collected from Criminal IP, specifically focusing on the statistics of sites using the Russian domain code (ru) between March 10 and 16. When sanctions against certificate renewal were announced, it can be seen that the domains with expired certificates amount to 115,554, 94,072, 120,751, 121,820, 70,287, 6,980, and 4,012 in a row, with a total being 533,476. Notably, accessing many of these sites, such as the Russian travel company (https://russian-tour.com/) and the shopping mall (www.santehnikavdom.ru), became challenging when using popular Chrome browsers.
The total number of domains utilizing the .ru extension has reached 25,311,304. Despite the passing of 20 days since the initial invasion, if the conflict with Ukraine persists for another week, it is projected that a significant 1,318,388 sites will be deemed unsafe, resulting in severe disruptions to regular operations. Furthermore, as the war prolongs, this number is expected to increase significantly and continue to escalate.
Number of Russian sites with certificates expired in March
Russian CA’s Effort Falls Short in Addressing Global Sanctions
Russia’s attempt to address global sanctions through its newly launched Certificate Authority (CA) has proven inadequate, as it fails to gain the trust of international browsers. The CA requires verification from each browser, but only Russian companies’ browsers, such as Yandex and Atom, currently recognize Russian certificates. This limited recognition poses a significant challenge as access to certain websites becomes impossible due to expired certificates.
Users wishing to access the website using Chrome or Edge can manually add a Russian root certificate. However, this approach has risks, as it opens the possibility of Russia’s HTTPS traffic interception attack. In essence, even with the issuance of a new Russian certificate, verifying the site’s safety and providing additional guidance to prevent customer churn when accessing it through a Russian browser is crucial.
A warning message appears when users attempt to access the Russian travel site domain https://russian-tour.com/ using Chrome and Yandex browsers.
Warning page displayed when accessing russian-tour.com with Chrome
Warning page displayed when accessing russian-tour.com with Yandex
Russia Faces Severe Consequences from Global Companies
On the other hand, concerning the SSL/TLS issue, there have been apparent efforts from Ukraine as well. For example, Ukraine recently submitted a request to ICANN, an international internet organization, to remove Russian websites from the public internet. The request included revoking TLS/SSL certificates, shutting down DNS root servers, and revoking specific country codes and domains. However, ICANN refused to comply, stating that it exceeded its authority. Nevertheless, several private companies, such as Microsoft, are actively taking action to isolate Russia. This includes blocking Russian customers and suspending business activities associated with Russia.
In response to the situation, the Ministry of Digital Technology in Russia expressed concern over the increasing cyberattacks targeting Russian sites from overseas, considering it an alarming and ongoing trend. Furthermore, following Russia’s recent shutdown of major social networking services like Instagram and Facebook, there has been an unprecedented surge in the number of VPN (Virtual Private Network) downloads within the country.
The expulsion of Russia from international organizations and the measures taken by companies illustrate how sanctions imposed on the country due to its ongoing war and public disapproval result in internet disconnection in cyberspace. As long as Russia persists in its unprovoked aggression on Ukraine, disregarding global opposition and discontent among its population, it will likely face increased isolation and consequences that impede its connectivity.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Create a free Criminal IP account today to access the search results cited in the report and search for more extensive threat Intelligence. [Criminal IP’s Official Service Release]
Leave a Reply