Last week, as the threat post pointed out, the Russian government was offering certificate authority (CA) services to Russian tech companies. Because of the economic sanctions imposed by the western world, all these companies's payment to the usual CAs such as Digicert cannot go through. And as a results, their TLS certificates are facing the danger of expiration.
For those who are unfamiliar with TLS certificates, think of them as the website's equivalent of a driver's license or an identity card. They serve as proof that a website is genuine and can be trusted. Nowadays, most web browsers raise concerns when you visit an HTTP website, which lacks this identity verification. In fact, popular browsers like the latest version of Chrome have taken the proactive step of restricting access to HTTP content by default.
This caution is not without reason. Each TLS certificate consists of a pair of public and private keys. When data is encrypted using the public key, only the corresponding private key can decrypt it. In other words, you can encrypt sensitive information like credit card details using a website's public key and send it securely. Only the website, possessing the matching private key, can decrypt the information and access its contents. TLS certificates play a vital role in enabling encrypted communication, safeguarding us from potential threats lurking online.
Certificate authorities (CAs), such as Digicert and Verisign, assume the responsibility of maintaining this system of certificates. Think of them as trusted notaries. Every website seeking an identity approaches a CA, which then conducts a series of tests to ensure the website's authenticity. If the CA is satisfied with the results, it generates an identity for the website and affixes its stamp of validation. This signifies that the CA has confirmed the website's identity, establishing trust for users.
Now because of the sanctions, all international transactions going into and from Russia have been severed. Since the majority of certificate authorities are based in the United States, tech companies in Russia are unable to make payments for renewing their expiring certificates. Typically, TLS certificates have a maximum validity period of approximately 13 months. If Russian companies manage to renew their certificates just before the sanctions take effect, they will have a grace period of 13 months to address the situation and find a viable solution. However, for those who either failed to renew their certificates or were unaware of the impending situation, a significant problem arises.
Without valid TLS certificates, these Russian websites will face several challenges. Firstly, web browsers will display warning messages to users, indicating that the website is not secure and discouraging further interaction. This creates a barrier of distrust and diminishes the credibility of these websites in the eyes of potential users.
Furthermore, the absence of TLS certificates leaves these websites vulnerable to various security threats. Without encryption, sensitive information transmitted between users and the website can be intercepted and accessed by malicious actors. This includes personal data, financial information, and other confidential details that users may provide while interacting with the website.
The repercussions of this situation extend beyond individual websites. The overall security of the web ecosystem is compromised when websites lack valid TLS certificates. Users may become hesitant to engage with any online platforms originating from Russia, as the absence of proper security measures raises concerns about data privacy and protection.
While I condemn the actions of the Russian government regarding Ukraine, I believe it is unfair to punish innocent Russian companies and individuals. Placing sanctions that prevent them from renewing TLS certificates hampers their online security and credibility. Instead, targeted measures should be taken against responsible parties while fostering dialogue and understanding between nations. We must find a balance that upholds accountability without unjustly impacting innocent actors and maintaining the integrity of the internet.
On Feb 8th, 1996, John Barlow drafted the Declaration of the Independence of Cyberspace. In his poetry words, he wrote that cyberspace was free from governments and politics, and that
We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.
Let's keep it that way.