10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Russia is offering its own trusted Transport Layer Security (TLS) certificate authority (CA) to replace certificates that need to be renewed by foreign countries. As it is, a pile of sanctions imposed in the wake of Russia’s invasion of Ukraine is gumming up its citizen’s access to websites.
As it is, Russian sites are stuck, unable to renew their certs because sanctions keep signing authorities in many countries unable to accept payments from Russia, according to BleepingComputer.
TLS – more commonly known as SSL, or TLS/SSL – is a cryptographic protocol that secures the internet by encrypting data sent between your browser, the websites you visit and the website’s server. The certificates keep data transmission private and prevent modification, loss or theft, as digicert explains.
How TLS certificates work. Source: Digicert.
According to a notice on Russia’s public service portal, Gosuslugi, as shown in a translated version in this article’s featured art, the certificates will replace foreign security certs if they expire or get yanked by foreign CAs. According to the portal, the service is available to all legal entities operating in Russia, with the certificates delivered to site owners upon request within five working days.
Over the past two weeks, Russia’s internet services have been cut off by multiple major U.S. internet suppliers, including Cogent Communications, reportedly the second-largest internet carrier servicing Russia. Lumen, another major U.S. internet supplier, followed suit on Tuesday, pushing the country’s citizens behind what some analysts are calling “a new digital Iron Curtain.”
Mikhail Klimarev, executive director of the Internet Protection Society, which advocates for digital freedoms in Russia, told The Washington Post that he’s “very afraid of this.”
“I would like to convey to people all over the world that if you turn off the Internet in Russia, then this means cutting off 140 million people from at least some truthful information. As long as the Internet exists, people can find out the truth. There will be no Internet — all people in Russia will only listen to propaganda.”
BleepingComputer reported on Thursday that the only web browsers that were recognizing the new CA as trustworthy at the time were the Russia-based Yandex browser and Atom products: Russian users’ only alternative to browsers such as Chrome, Firefox, Edge and others.
Somebody with a Mozilla domain email on Thursday started a thread to discuss examination of the new root Russia cert, pointing to the possibility of the Russian government using it to start mand-in-the-middle (MitM) attacks – though, they said, none had been detected as of yesterday.
“Although at present there’s no MitM, it’s likely that government websites will start using this and once adoption is high enough Russia will perhaps start MitM,” they said. They cited an ISP who said that it had been told that the new cert was mandatory, making the certificate “worth urgent consideration.”
_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _FREE downloadable eBook, “Cloud Security: The Forecast for 2022.”****We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.
2020.internethealthreport.org/
bit.ly/3Jy6Bfs
bugzilla.mozilla.org/show_bug.cgi?id=1758773
groups.google.com/a/mozilla.org/g/dev-security-policy/c/QaKxfr5hOXg
media.threatpost.com/wp-content/uploads/sites/103/2022/03/11125728/how_TLS_certificates_work-e1647021505756.jpg
www.bleepingcomputer.com/news/security/russia-creates-its-own-tls-certificate-authority-to-bypass-sanctions/
www.digicert.com/tls-ssl/tls-ssl-certificates
www.gosuslugi.ru/tls
www.siliconrepublic.com/comms/russia-internet-backbone-cogent-ukraine
www.washingtonpost.com/technology/2022/03/04/russia-ukraine-internet-cogent-cutoff/
www.washingtonpost.com/technology/2022/03/08/lumen-internet-russia-backbone-cut/
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C