Most government and business websites are reliant upon Transport Layer Security (TLS). This concerns a protocol that establishes an encrypted session between two computers on the Internet. It verifies the identity of the server and prevents hackers from intercepting any data. Western governments are bocking Russia website TLS’s and this comes with security implications.
The dynamic for the Russian actions were explored in a companion article, see: “Russia’s latest sanction busting move creates a cybersecurity risk”.
That the TLS process can be disrupted and such measures have been used by a number of western governments as part of their attempts to limit the Russian economy is apparent. The motivation to do so is as part of the packages of measures designed to tackle Russia over the invasion of Ukraine.
What has happened is that this sanction imposed by western companies and governments is preventing Russian sites from renewing existing TLS certificates. The absence of a TLS causes browsers to block access to sites with expired certificates.
However, the Russian state is not simply accepting this restriction. The Gosuslugi public services portal indicates that Russia’s Ministry of Digital Development will be providing a domestic replacement to handle the issuance and renewal of TLS certificates should they get revoked or expired. This service will be offered to all legal entities operating in Russia, with the certificates delivered to site owners upon request within five working days.
This process is creating a cybersecurity risk that has global implications. Not least because Russia could abuse their CA root certificate to perform HTTPS traffic interception and man-in-the-middle attacks, according to an assessment by Mozilla.
To gain further insight into the TLS issue, Digital Journal heard from Alon Nachmany, Field CISO of AppViewX.
Nachmany provides analysis into why Russia has taken the measures it has and what the Putin regime hopes to achieve: “It’s clear Russia is going through this exercise to ensure that their infrastructure isn’t crippled by a sanction. The linchpin to technology is public key infrastructure (PKI).”
Ensuing that the ramifications of this are clear, Nachmany emphasises: “So, this is huge news. This is something every organization should be watching.”
As to why this is the case, Nachmany explains: “PKI is so incredibly critical that Russia is forced to do this to avoid outages. PKI allows for secure communications and is an integral part of encryption – this is also something that Russia excels at.”
There are points arising from this news that governments and businesses need to be planning for, and relatively quickly. According to Nachmany these are: “This news also calls out the critical importance of automating certificate lifecycle management (CLM). Russia-based organizations will need to replace millions of certificates, it’s a tedious process and extremely time consuming. By automating the CLM, organizations will create stronger security credentials, a reduction in the likelihood of outages due to certificate expiry or human error and more.”