Switching to a domestic TLS certificate. Surveillance tool or guarantee of autonomy?

Fellow citizens are worried - is this not just another helping hand for "comrade major" to organize surveillance and persecution of political activists? We deal with cybersecurity experts.

Julia Suntsova

The Ministry of Digital Development, Communications and Mass Media of the Russian Federation advises Russians to install domestic TLS certificates on their devices to access public services and banks. After foreign companies revoke their certificates, the systems issue a warning about the insecurity of further use of Russian resources. Some companies in Russia have already published instructions for users to install domestic digital threat protection products.

“The transition to Russian TLS certificates will provide secure access to all resources in any browser for users of all operating systems, as well as independence from foreign certification centers”, - the Ministry of Digital Development explained the idea of new certificates.

"What is an SSL certificate? The SSL certificate is displayed in the left corner of the browser address bar as a closed padlock. This way the user can determine if the site is trustworthy or phishing. In the second case, personal and payment data left on such a site can fall into the hands of attackers, as well as the payment itself. SSL certificates are issued by certification authorities - special organizations that also support their work. There are three main purposes for using such certificates: encrypting data between the user and the site; the certificate acts as a kind of "identity card" for the organization and protects the user from phishing sites; improves ranking in the search - sites that do not have a certificate fall lower in the search results", - RBC.

Recall that since March 2022, due to sanctions, foreign certification centers began to revoke SSL certificates from Russian banks that fell under the sanctions, which ensure the security of the site and the safety of personal data. At the Central Bank, VTB, Sovcombank, Promsvyazbank, the level of protection could decrease for some time, although the banks claimed the opposite.

In September, the issue of extending existing certificates for organizations that were not subject to sanctions also arose, but the Russian side had doubts that foreign partners would be ready to prolong service contracts in the future.

Sber announced last week that it began installing certificates issued by the National Certification Center of the Ministry of Digital Development on all its sites, work resources and systems.

A little earlier, instructions for citizens on installing Russian security certificates on personal devices were published on the Gosuslug portal.

Organizations reporting to government departments also began to encourage Russians to install a Russian product.

The problem is that the Russian development will only be compatible with Yandex and (or) Atom (from VK), for other browsers it will have to be imported into the root certificate. This makes it possible to implement a MITM attack on traffic that will not be easily noticed by the user. The way to protect yourself is to get a separate phone with a Yandex browser and go to Russian sites only from this separate device, experts say.

“Firstly, the certification center from Maksut Shadayev [Ministry of Digital Development of the Russian Federation] is not recognized by any modern browser, with the exception of domestic Yandex and Atom. Secondly, the installation of these certificates opens a “window” for data leakage and surveillance of the activities of Russians on the network. Kazakhstan tried to do something similar in its time to read traffic, but then the certificates were blocked by Google and Mozilla. And this poses a threat to users,” Roskomsvoboda experts say.

Another “side effect” is that the Russian Internet with domestic security certificates becomes inaccessible to users abroad. Russians who left with the start of the special operation and mobilization, just like fellow citizens who are temporarily abroad for study or work, will have to sweat a lot in order to enter their personal account on Sberbank from Georgia, Turkey, Asia or Europe or pay for a Moscow apartment, for example.

Anton Merkurov, Vice President of the Association of Internet Publishers "Internet Expert":

- Firstly, the transition to a domestic safety certificate is not safe. When you visit any site, use any service, the connection is encrypted. This encrypted connection is secured by a certificate issued by a third party, the mediator confirms and guarantees you the quality of this encryption. New certificates will no longer be issued by independent intermediaries, but by Russian authorities. Everything that the Russian state touches, especially in the field of high IT technologies, is compromised for a very long time. Users who set this up for themselves open the door to their bedroom for FSB officers.

Secondly, in my opinion, everything that is being done in Russia to “strengthen sovereignty” is an attempt to establish even greater control over citizens in order to punish them in the future. Use your own, because "someone else threatens us" - the next horror stories for stupid people. One can only hope that, as was the case with all previous such projects, the money will be laundered, but nothing will work. We have already broken our Internet for a long time. And we will continue to break. The corpse of the Internet lies and it is raped from all sides ...

Other experts do not see anything super-terrible in the use of domestically developed TLS certificates and believe that for the sake of the autonomy of the work of the Russian public sector, they should have been introduced 10-15 years ago.

Nikita Shevlyakov, developer, founder of the Internet agency Future:

- The presence of a certificate on the site serves as a guarantee for users of the web resource to protect data from getting to third parties during the exchange with the server. Visual evidence of such protection is a green padlock and the signature "protected" in the corner of the site. But the content of a site with a self-signed certificate can be phishing, so it's worth checking the correctness of the domain name.

However, in order for this to work in Russia and ensure the proper level of security for domestic services (especially for banking and other financial-related sites), it is necessary to create Russian certificate authorities that will be trusted in popular browsers.

The idea of the Ministry of Tsifra to issue its own TLS certificates is reasonable and correct, because now there is a threat of being immediately disconnected from European certification centers, which will lead to disruptions in the work of public administration and the financial sector.

Alexander Vurasko, Head of the Digital Services Development Group at the Rostelecom-Solar Center for Monitoring and Response to Cyber Attacks:

- Such certificates are necessary and used to ensure the security of data transfer between the user and the server he accesses, helps protect data from interception along the way.

Domestic certificates are not something that will be invented today, they already exist and they are no worse than foreign ones in this main function.

The fears of the Russians that I have been observing in recent days are that we are making life easier for Comrade Major, now he will take possession of all the information that is transmitted when using these new certificates. I hasten to reassure you: Comrade Major has long had this information in full. We are talking about the use of these certificates when supporting the activities of government bodies, government agencies, the banking sector, etc. It is foolish to think that all your data that you previously entered at the State Services yourself or left at banks is still unknown to the state. There is no question of new information that could be intercepted using these certificates. Yes, and they were invented not so that the special services intercept traffic, but in order to ensure data protection at the user level. In other words, I see no threats and reasons for panic for our users, all this is already known to our special services, but the threat of interception of this data by the special services of other countries is actually significantly reduced. And no, this is not another cut of funds in the domestic IT sector, for one simple reason: you won’t earn much on this.

Facebook, Instagram (the activities of these social networks are recognized as extremist and banned in Russia), Telegram and other social networks that you use continue to work on foreign certificates and, in general, on certificates of a different kind.

But our own security certificates for state authorities, domestic financial institutions, connections with which should be protected by default, I think this is a correct and important initiative, this is a guarantee of security for the functioning of state systems, and just digital hygiene. For example, it is difficult for me to imagine how some American company sits on the certificates of a Russian certification authority. I adhere to the ideas of digital liberalism, but in this case, sovereignty is justified. In a good way, it was time to introduce our security certificates 10-15 years ago, and now, under the conditions of sanctions, God himself ordered.

Let's check right now. On the Sberbank website, for example, a domestic certificate is already offered, there are detailed instructions on how to install it, even the most distant person from computer technology can do it.

There is still a foreign certificate on the website of the State Services, well...

What kind of threats do we consider if we lose security certificates as such? This is primarily about data leakage when working with popular browsers. If protection is not installed on these browsers, your data can be intercepted and used by attackers: logins, passwords, access to your account. And we are talking now not only about employee users and internal systems of state institutions, but also about ordinary customers. With banking applications, for example, it’s a different story, but if you access Sberbank’s personal account from a browser, it’s better to additionally install a certificate. First of all, this must be done with all organizations that are under sanctions.