back to article Moscow to issue HTTPS certs to Russian websites

Moscow has set up its own certificate authority to issue TLS certs to Russians affected by sanctions or otherwise punished for president Putin's invasion of Ukraine. A notice on the government's unified public service portal states that the certificates will be made available to Russian websites unable to renew or obtain …

  1. Potemkine! Silver badge

    "Z" for zombies

    Can the Kremlin be considered as a trusted source for certificates emission?

    Yes, of course, I trust them to play the man in the middle and spy on all the communications.

    1. Anonymous Coward
      Anonymous Coward

      Re: "Z" for zombies

      Huh, our government in the U.K. don't even bother with certificates.

      1. john.jones.name

        Re: "Z" for zombies

        thats false information see the certificate used in transport of this webpage

        https://www.gov.uk/government/publications/email-security-standards/transport-layer-security-tls

      2. steelpillow Silver badge
        Facepalm

        Re: "Z" for zombies

        If UK gov does not bother with certs, can you please explain how on rare occasions my browser will complain that said "non-existent" cert has just expired and do I still want to trust it?

        Icon for the spot-on reflecting of your name in your post.

    2. bombastic bob Silver badge
      Pirate

      Re: "Z" for zombies

      why don't they use "Let's Encrypt" like all of the budget ISPs and individuals do...

      (If "Let's Encrypt" is getting political then they defeat the purpose of their existence)

      [And this issue is yet another example of harming the wrong people with the sanctions, which I would support 100% if they are actually effective in putting an end to Vlad the Putinator's worldwide conquest]

      1. Charlie Clark Silver badge

        Re: "Z" for zombies

        Sanctions are always a broad brush. At the moment disruption of everyday life is one of the most effective options in a country where the only legally available information is telling people that everything is fine. When this clearly isn't the case then some people might start trusting government media less.

        Regarding encryption: most Russians have for years been using Telegram et al. to avoid interception and blocks by the state. Eventually Vlad gave up the attempts to cut it off. So the police are resorting to stop and "unlock your phone" tactics to find out what people think. Or maybe to find out themselves what's going on: the draconian clampdown of the media is the biggest indication that things are going as planned for Russia.

      2. rcxb1 Bronze badge

        Re: "Z" for zombies

        > why don't they use "Let's Encrypt" like all of the budget ISPs and individuals do...

        Because this has nothing to do with Russian companies getting cut-off from other SSL authorities, and everything to do with Russia's growing ambitions to surveil their own people to easily find and arrest dissidents.

        1. Anonymous Coward
          Anonymous Coward

          Re: "Z" for zombies

          Well yes, and to be self-sufficient should they be cut off (including from rest of internet infrastructure)

      3. captain veg Silver badge

        Re: "Z" for zombies

        Might be wrong, but I believe that's swapping in Google surveillance.

        They're only after monetising my online existence, of course, so that's all right then.

        -A.

        1. doublelayer Silver badge

          Re: "Z" for zombies

          It does not swap in Google. Google does not run LE. Also, LE certificates use a key you generate yourself, so nobody gets to decrypt that traffic. I would not be confident that Russia's CA does the same, giving them a potential to MITM more traffic.

          1. captain veg Silver badge

            Re: "Z" for zombies

            Thanks for correcting my laziness. My default position is that anything Google promotes is good for Google*. This might be overly cynical.

            -A.

            *As in good for Google's profits. Which depend on monetising my online existence**.

            **I'd like to hope that, so far as I'm concerned, they are starving.

            1. catprog

              Re: "Z" for zombies

              Yes it is good for google's profits.

              The more sites that are using HTTPS the less advertising ISPs can insert their own ads into it.

              Less competition for advertising dollars = more money for google.

    3. Clausewitz 4.0 Bronze badge
      Devil

      Re: "Z" for zombies

      You are describing the NSA

    4. PriorKnowledge

      This won’t help them to spy

      They don’t get the private key and certificate transparency is required for Chrome and Safari to trust certs - no exceptions. This also assumes they will get their certs added to trusted root CA lists on the browsers Russians use today.

      Now let’s assume there is collusion between the independent log servers and the CA, there are multiple high-security solutions already in use to combat this. For example, static certificate pinning works on Android and iOS apps, rendering duplicate certs by the same CA worthless (just pin the leaf cert rather than the CA). In the future, we will be able to use DANE and DNSSEC to prevent covert spying; even if the CA is completely compromised, things will still be pinned safely.

      1. Danny 14

        Re: This won’t help them to spy

        They can spy via MitM. So now your browser trusts that KremlinTech has signed your webserver cert and is a trusted RootAuth. If they decided to MitM at KremlinISP the client will be presented with KremlinTech cert, which is trusted by the client.

        Not totally invisible but much easier.

        It also makes it much easier for the rst of us to put the cert in the bin where it belongs.

        1. PriorKnowledge

          Re: This won’t help them to spy

          KremlinTech would only ever be able to misuse their privileges once and then they’d be blacklisted on all major operating systems and browsers overnight as CT would rat them out. Remember, this was designed as a proper, universal replacement for HPKP and it works in a far superior way (despite looking potentially less secure).

          CT is mandated with independent lists which Google and Safari both dictate the choices for to the CAs. Additionally, every Enhanced Protection user of Google Chrome also contributes to detecting MitM attempts by contributing data about the sites they visit in real time while being shadowed by a Google bot when things don’t look quite right. Any attempt to MitM would be detected within hours and any attempt to sign without corresponding logs results in a full screen error message with a code of ERR_CERTIFICATE_TRANSPARENCY_REQUIRED.

          Russia would pretty much have to make everyone use Firefox for this to be a viable approach to MitM.

    5. I_am_Robert

      Re: "Z" for zombies

      Isn't Z Dead baby?

  2. Anonymous Coward
    Anonymous Coward

    actually

    if I want to submit information to the Russian Government I would hope their sites are secured with a Russian CA...

    (for example if I was applying for a visa I would hope that the Americans could not see that)

    to be honest each country needs to control their own IP address space rather than the corruption and legal dubiousness of IANA

    (AFRINIC Africa Region

    APNIC Asia/Pacific Region

    ARIN Canada, USA, and some Caribbean Islands

    LACNIC Latin America and some Caribbean Islands

    RIPE NCC Europe, the Middle East, and Central Asia)

    for example the law in Australia is very different than Pakistan (I'm not saying one is right or wrong just different) yet still comes under APNIC which is subject to laws in Singapore AFAIK

    its time to give this Domain and IP space up to each country to manage ASAP otherwise they are going to do it anyway and its going to get messy real fast

    the only reason I can see they didnt do it before is due to money and perceived altruism...

    1. Richard Jones 1

      Re: actually

      If you want to submit to necrophiliac Putin's terrorist mob, you are welcome.

      Please use a one way ticket for your travel to thugland.

    2. the small snake
      Alien

      Re: actually

      So, do you want your browser to have 208 trusted root certs?

      1. Warm Braw Silver badge

        Re: actually

        There's a difference between want and need.

        The PKI trust model is hierarchical and the higher up the tree you go the more trust you assume and the more power you have. Having a small number of root certificates means there's a lot of political and economic power concentrated in a few hands. Getting to decide which root certificates you include in your browser distribution concentrates that power even further. That's a significant price to be paid for convenience.

        Like Britain's unwritten constitution, it kind of works as long as everyone tries to be a good chap but becomes incredibly messy when they don't.

      2. Ken Hagan Gold badge

        Re: actually

        Have you looked at the number of trusted roots accepted by browsers these days? Anyway, like the other guy said, you could easily have tbe UN create one root for countries and countersign the 208 used by governments. Note that countersigning does not mean that the countries have to share their private keys with the UN, so there's really no problem with the OP's suggestion.

    3. steelpillow Silver badge

      Re: actually

      I agree with your sentiment but the implementation is unworkable.

      TLDs (Top-Level Domains) should be issued and maintained entirely transparently by a UN based org.

    4. Jellied Eel Silver badge

      Re: actually

      Not money and altruism, more like trying to manage a fast growing organism that was rapidly evolving. Mistakes were made.

      In the beginning the Internet was built around a few letters, and IP addresses were allocated by UUCP. Namely emailing Jon Postel and asking him if you could score some Class A or Bs. No idea if those emails every raised eyebrows with narcotics LEOs, but I did score some sweet Class B's that way.

      But there was also a realisation that this approach wouldn't scale, and the original pretty rigid hierarchy for Class A/B/C networks wouldn't scale. Addresses would quickly run out, and so would memory for routing tables. Those were the days when large corporations like Ford, Xerox, Nortel etc could score Class As the same way, and end up 'owning' a large chunk of the total potential 'net space.

      So there were new rules for allocation and assignment, and the RIR's like RIPE, ARIN, APNIC etc created to handle them. Along with the introduction and implementation of new tech like CIDR (Classless Inter Domain Routing). Goodbye Class B & C, hello /16 & /24. Under classful networking, the subnet mask wasn't as relevant as the network was defined by the address(ish). So if the first 3 bit of an IP address were 000-011, it was a Class A, 100-101, Class B, 110, Class C.

      So that was why class was originally linked to the first octet of your ID. And because a lot of addresses had been assigned and in use already, carving out space for the RIR's to manage was FUN! And also why ARIN ended up with lots of addresses, and later RIR's got less. Oh, and the swamp, which were legacy allocations from the class era.

      But that also hampered stuff like geographical routing. Which was frustrating, especially as there was a long established functional model that had 'solved' these issues a century earlier, ie the telephone network. There, the first bits indicated if it was a national or international call, then country to send it to, or the area code if it was national.

      The Internet missed a few chances to do the same. Some was historical, ie the 'net was already operational. So CIDR could have done some of this, but would have required a 'Great Renumbering' to drain the swamp and convert the Internet from classful to classless. Especially as customers who'd scored a Class A or B network might have to settle for a /20. We did some planning though, and although technically feasible, an operational nightmare.

      Needless to say that didn't happen.

      Next opportunity was more political, so the replacement of IPv4. That would have been a logical time to add a country code to the IP address. 44.192.168.0.0 would be a UK address, 1.192.168.0.0 would be US. Or Dublin, because telephony has it's quirks as well. But every country would have it's own Internet's worth of space to assign. Simple, effective, and would have solved problem that IPv6 doesn't.

      But when I need IP addresses, I ask RIPE. When I need phone numbers, I ask Ofcom. If IP were assigned the same way as phone numbers, why would the RIR's be needed? So IPv6 preserved the 'need' for RIRs, and avoided their work being transferred to national telecomms regulators like Ofcom.

      But such is politics.

      Oh, and thought for the day. Why, 30yrs post-CIDR (and 'ip subnet zero') do network engineers still think a p2p network link needs a /30, and not a /31? Just one of those things that bugs me because it wastes a lot of IP addresses.

      1. TimMaher Silver badge
        Pint

        Re: score some Class A or Bs.

        Hang on. I had to re-read that to keep it in context.

        Ah well.

        1. Eclectic Man Silver badge

          Re: score some Class A or Bs.

          Upvoted for reading it all the way through

      2. Ken Hagan Gold badge

        Re: actually

        Yawn. Actually adding a fifth octet would have been incompatible with every IP stack in existence and merely booted the problem a decade or so down the path without solving the routing problem. IPv6 is no more incompatible and solves these problems forever (along with several others).

        It also exists and works for those of us that bother to use it.

        1. Robert Helpmann??
          Childcatcher

          Re: actually

          I was just reading an article on IPv6 myths. Pretty funny, really, in that the author started out trying to debunk a few things concerning the format and ended up mostly proving them.

          https://rednectar.net/2012/05/24/just-how-many-ipv6-addresses-are-there-really/

          1. Jellied Eel Silver badge

            Re: actually

            Cheers for that, I hadn't come across that blog before. The exhaustion issue I think better explained in his previous example. So I have a couple of /32 and /48s. /32 is a standard ISP allocation, and /48 is a standard user assigment.

            So an ISP can assign 65,536 /48s before it needs to ask the RIR for more. Last national broadband job I did had around 8m subscribers, who'd get a /56 instead. So customers could still have 256 networks, even though most residential customers neither know, nor care what those are.

            But a Friday thought. I still remember when Cisco's self-defeating network saved Jack Bauer in 24. I don't remember ever seeing an IPv6 address or trace in a movie or TV show. Not sure if that says more about me, or general IPv6 awareness though.

        2. Jellied Eel Silver badge

          Re: actually

          So we could add a 6th to cater for future expansion. Or be very generous and make it 128bits. Or go really wild and make it 128. Which IPv6 did, but only uses 64b for the host. So much bloat.

          But IPv6 was also incompatible with every IP stack, at the time. More importantly, existing hardware was incompatible. So line cards, backplanes, processors, memory etc. Not helped by routers often having PCI backplanes. Even with 16 lanes potentially available, handling 128b is slow and expensive. Also unnecessary given 64b are the host's problem, not the routers.

          But such is politics. Sure, IPv6 could do 2^128 hosts. Ish. It can only do 2^64 networks though, especially given the standard allocations from RIRs. Customers probably need all the addresses to multi-home. Oh, wait... It's so every device on our network can be directly addressed from the outside.

          But IPv6, been there, done that, got much more IPv6 than I'll ever need. Unless I get into cellular networks in the biological sense. Still wish it'd supported geography allocations though, because that would make traffic engineering on global networks a bit more efficient.

          1. Alan Brown Silver badge

            Re: actually

            IPv4 was originally going to use 128bit addressing. Vint Cerf was talked out of it and into 32 bit - because IPv4 was a temporary solution

      3. Irony Deficient Silver badge

        That would have been a logical time to add a country code to the IP address.

        44.192.168.0.0 would be a UK address, 1.192.168.0.0 would be US.

        The country code component would’ve needed ten bits, to accommodate e.g. 998.192.168.0.0 for Uzbekistan.

      4. Graham Cobb Silver badge

        Re: actually

        The world's telcos (and others) did try to replace IPv4 with a new addressing approach: the OSI network address. They were long numbers, assigned in a hierarchical fashion, mostly run by national PTTs.

        Although some parts of the idea fed into IPv6, the key point of control by national telcos most certainly did not. But you can blame the colons on OSI.

        1. Jellied Eel Silver badge

          Re: actually

          Yup. A bit of parallel development, one looking to solve telco problems, the other, not. I think some stuff converged around ASN.1 though.

      5. Alan Brown Silver badge

        Re: actually

        The original concept WAS routed based on the octet. IPv6 DOES route this way

        IPv4 was intended to last 5 years as an interim measure

        1. Jellied Eel Silver badge

          Re: actually

          Kind of.

          Yes, routing is obviously based on IP address, but for the most part, that contains no geographical information. So I'm eel.net, and I have a global ISP. I'm based in the UK, so get a /30 from RIPE, and the route object says 'UK'.

          So I build out my network using that /30. Internally, I could use /32s per region. Externally, I have much less control. This is also true with IPv4. So maybe I peer with APAC networks in Singapore using the /32 I've picked. Maybe I advertise another /32 at the LINX for European traffic. If I don't advertise the /30, parts of my network might be unreachable, if I do, traffic destined for my APAC customers may be handed off to me in London because the Internet favours closest exit, or hot potato routing.

          Country of origin routing would be more efficient though. If destination is 1.X or 44.X, it should probably go via my trans-Atlantic capacity. If I can switch towards my UK-US network without having to read deeper into the header, forwarding traffic is faster, cheaper and more efficient. That also isn't helped by IPv6 inheriting a problem from IPv4, namely the header has the addresses in the wrong order. To fast switch or forward a packet, the important bits are the destination, not the source. I once asked Vint Cerf about that, and it's a holdover from the old DARPA / DoD days where the source was considered the priority.

          But there can be other fun, like geolocation services deciding location based on text in a route object, rather than where an IP address actually is. Country codes would (or should) make that more reliable.

    5. Eclectic Man Silver badge

      Re: actually

      AC: "if I was applying for a visa I would hope that the Americans could not see that"

      The Russian embassy in London is located on a corner and if you want to visit and get a visa you can queue up.* This was so that the UK's (and presumably USA's) intelligence agencies could see exactly who was applying for a visa:

      "The Embassy of Russia in London is the diplomatic mission of Russia in the United Kingdom. The main building and Consular section is located at 5 and 6-7 Kensington Palace Gardens at the junction with Bayswater Road;" (https://en.wikipedia.org/wiki/Embassy_of_Russia,_London)

      *Probably best to wait a bit at the moment

      1. johnfbw

        Re: actually

        Most larger countries visa applications happen in offices outside the embassy. Russia's over is in farrngdon

  3. Anonymous Coward
    Anonymous Coward

    So you propose to have about 200 internets. We should call them nationets. We need an international organisation to work on the interconnection of the nationets.

    1. Yet Another Anonymous coward Silver badge

      And when any packet went between them DHL would charge you a $50 handling fee

  4. brotherelf
    Boffin

    :squint:

    One of those moments where I'm not sure if the article is glossing over what is commonly understood or doesn't get it. The level of danger a MosCA poses is the same whether you are its customer or not. The danger is that CAs are decentralized in a "anybody can issue anything" way. If you root-trust MosCA, they can issue certificates for anything. "I get my regular certificate from them" does not make that easier or harder, because that process doesn't expose the private key in sane setups. (Yes, I know most CAs have insane setups because customers can't keep two files around for two days and find them again.)

    There used to be HPKP, where a site could say "I guarantee my certificates are issued by CA XYZ for the next n days", but that was dead before it got off the ground, because it's only "trust on first use" and requires things like backup keypairs.

    And no, don't answer "what about CAA", this is not what CAA does. CAA is verified at issue-time by the CA, it's protecting against social engineering.

  5. Eugene Crosser

    Snooping? No.

    > As a bonus for Putin, it's rather easy for Kremlin spies to intercept, decrypt, and snoop on connections encrypted using certificates issued by the government. The more websites using Moscow-issued certs, the more connections Putin's agents can quietly monitor.

    This is not how it works.

    Having a CA under your control allows you to create a shadow site that browsers won't be able to tell from the original. It does not allow you to eavesdrop. Private keys are confined to the communicating parties, CAs never see them.

    1. Androgynous Cupboard Silver badge

      Re: Snooping? No.

      Thank you, was going to make the same point.

      It does open the door for this via DNS poisoning - routing everything to the site via some government controlled proxy. I would presume that would be fairly noticeable at the server end with all your traffic coming from one IP, but it wouldn't help the end user so much.

    2. Tomato42

      Re: Snooping? No.

      the "quietly monitor" is about regular users not being able to tell when they are being MITM and when they're not

      yes, just controlling the CA doesn't give you access to server's private keys, but that's a technical detail

      1. Korev Silver badge
        Black Helicopters

        Re: Snooping? No.

        If they have control of the browser and the certificates it uses then they can have as much "fun" as they like...

        1. Eugene Crosser

          Re: Snooping? No.

          Well, if they have control over the browser (a.k.a. the client is compromised), all bets are off. They don't need to bother about issuing any special certificates then.

  6. John D'oh!

    Next it will be "Ruscoins" and "Special Military Operation" NFTs.

    Actually, after typing that it made me think, when Putin says "Special Military Operation", does he mean the operation is special, or the military? Judging by their performance over the last 2weeks I am inclined to say the latter :-)

    1. Yet Another Anonymous coward Silver badge

      The deployment of "special" forces has been delayed because the tanks don't have windows to lick ?

    2. Alan Brown Silver badge

      short yellow tanks?

  7. Anonymous Coward
    Anonymous Coward

    Certifiable

    Yes

    I’m sure Putin is

  8. Anonymous Coward
    Anonymous Coward

    I can't help noticing how some of those fast-tracked, self-decided sanctions are actively helping Putin.

    1. karlkarl Silver badge

      In what way? By making Russia's internet denizens self-sufficient and less tied down to janky cloud services?

      Damn, you might be right haha.

      Gosh, if the UK was sanctioned; where I work might finally have to ween themselves of Microsoft's terrible Office 365 and we can run old copies of 2010 (cracked of course).

      Heck we might need to formally move everyone to Linux/BSD because the DRM servers will no longer work for Windows.

      1. I ain't Spartacus Gold badge

        It only requires 3 countries to put sanctions on the UK to bring us to our knees! If Kenya, India and Sri Lanka should ever form any kind of alliance - then they would have control of our tea supplies. And the tea must flow! The idea is too horrible to contemplate!

        Personally I think we need to create an inhospitable isolated hellhole, devoid of any kind of softness or pleasure, where life can only barely be scratched with utmost willpower and cooperation. Then populate it with criminals and very fit aggressive people and leave them there for a few generations to breed an army of super-human abilities - which we can send in to fight for out tea supplies. Should that dire need ever arise. I suggest we call this place, Skegness...

        1. Anonymous Coward
          Anonymous Coward

          I believe they tried that a few centuries ago. Place was called Australia, IIRC. They toughened up, came back to England, and took their Ashes, I believe, among other things.

        2. Yet Another Anonymous coward Silver badge

          >If Kenya, India and Sri Lanka should ever form any kind of alliance - then they would have control of our tea supplies

          Can't we all just drink Yorkshire tea?

          1. Danny 14

            isnt Yorkshire tea just regular tea bags that have been dried out and reused? That sounds like a Yorkshire thing.

            allegedly. red rose forever!

            1. Yet Another Anonymous coward Silver badge

              Oh Mr La Di Da Di southerner with your use once and throw it away teabags.

              We used work 25hours a day in t'tea mines for t'tpence a month .... etc ... etc

      2. Anonymous Coward
        Anonymous Coward

        I think there's a misunderstanding here.

        TLS and the certificate authorities it depends on are not related to the cloud.

  9. Anonymous Coward
    Anonymous Coward

    release the data once they figure out how to extract it, and hope that it informs Russians

    trouble is, a majority of Russians do not wish to be informed (aka lalala, I'm not listening!) It's so much easier to draw a line between state propaganda: 'Evil West is trying to punish RUSSIANS again, because they hate us and our values!' - when you can't tap to pay for a metro ride in Moscow, buy a ticket online to fly to Turkey, etc. Much easier than look past this bullshit and consider that, PERHAPS 'I live in a shitty country based on a shitty system run by scumbags' - and if so, what am I gonna do about it? Well, you can run abroad, never mind how they perceive Russians in the West now (but this option is really viable if you're young / rich enough / brave enough to break off completely), OR, a more realistic prospect for about 99% of Russians - you keep your head down thinking that, you know, our dear leader might not be all that great and everybody makes mistakes every now and then (the tsar tries hard, but these awful boiars!, but surely, there's no smoke smoke without fire, the West's always been out to get us, remember Napoleon, remember Hitler, remember how 'they' tried to destroy us in the good old Soviet times... and now, they're at it again!

    p.s. I do not feel contempt, I just feel sorry for them. And then, I listen to this or that Ukrainian radio station, and all their radio channels broadcast the same, joint programme now, and then all those channels, like a domino, switch to auto-message that their presenters need to hide in air-raid shelfter because the air raid, sorry, we'll be back soon, and they broadcast the same, awful auto-message how to give 1st aid, how only to trust information from reliable circles, how to report suspicious behaviour, some uplifting song here and there. And then, the images and videos, not only those shown by mainstream media... then I find it so hard to 'feel sorry for the Russians' for keeping their heads down.

    1. Anonymous Coward
      Anonymous Coward

      Re: release the data once they figure out how to extract it, and hope that it informs Russians

      There’s been revolution in Russia before - Just saying!

      1. Anonymous Coward
        Anonymous Coward

        Re: release the data once they figure out how to extract it, and hope that it informs Russians

        That said...

        1) October 1917 followed

        - failed revolution of 1905 (after the short [but not] victorious war against Japan

        - 1914-1917 WW1 carnage

        - another, failed revolution (Feb 1917, if I remember correctly)

        2) don't forget the consequences, for Russia and the world, of that October 1917 revolution.

        1. EvilDrSmith Silver badge
          Headmaster

          Re: release the data once they figure out how to extract it, and hope that it informs Russians

          Does the February / March (depends on which calendar you are using) count as a failed revolution?

          'Failed' implies that the revolution failed to over-throw the old order. The March revolution saw the Tsar stand down, and introduced something resembling (by the standards of the time) a democratic government, and thus achieved it's aims.

          That the October/November revolution then over-threw the democratic (~ish) government is perhaps a failure of the post-revolution government, rather than the revolution itself?

          But your core point is accepted.

          1. Eclectic Man Silver badge

            Re: release the data once they figure out how to extract it, and hope that it informs Russians

            Revolutions can be tricky little blighters

            The Who: 'Won't get fooled again'

            "[Chorus]

            I'll tip my hat to the new Constitution

            Take a bow for the new revolution

            Smile and grin at the change all around

            Pick up my guitar and play

            Just like yesterday

            Then I'll get on my knees and pray

            We don't get fooled again"

            https://genius.com/The-who-wont-get-fooled-again-lyrics

            1. EvilDrSmith Silver badge

              Re: release the data once they figure out how to extract it, and hope that it informs Russians

              Indeed - Meet the new boss, Same as the old boss...

        2. Anonymous Coward
          Anonymous Coward

          Re: release the data once they figure out how to extract it, and hope that it informs Russians

          The enemy of my enemy is my friend. In this case the Communists represent the main opposition party to the fascists that have overrun the Kremlin and finally tipped their hand.

          But yes, Russia has had a long and bloody history of internal strife. The collapse of the Soviet Union was comparatively peaceful.

          If there's anything the West can do here, it is to provide information and organisation to those that oppose.

          Just as Putin has manipulated the West's own enemies into positions of power here too.

          Fucking hate this species sometimes. All hail our glorious cockroach overlords

    2. AVee

      Re: release the data once they figure out how to extract it, and hope that it informs Russians

      when you can't tap to pay for a metro ride in Moscow, buy a ticket online to fly to Turkey, etc. Much easier than look past this bullshit and consider that, PERHAPS 'I live in a shitty country based on a shitty system run by scumbags'

      You're not wrong there. However, if you can do all those things, doesn't that pretty much have the same effect? You know, bread and circuses.

  10. TimMaher Silver badge
    Linux

    Raspberry

    My pi-hole servers will need updating.

    1. Hubert Cumberdale Silver badge

      Re: Raspberry

      Out of solidarity for the Ukrainians (not that it'll make a lot of difference...), I've already added a filter for .ru TLDs and all Yandex-related domains. Anyone know of any good general lists of non-.ru Russian domains? Maybe we can de-throne Putin with a thousand tiny (and admittedly fairly pointless) cuts.

  11. Anonymous Coward
    Anonymous Coward

    Huh?

    > The portal is silent on which browsers will accept the certs. This is a critical matter, because if browsers don't recognize or trust the certificate authority that issued a cert, a secure connection isn't generally possible.

    Last I checked, it was possible to install arbitrary CA certificates on Firefox and, I imagine, other browsers. That's how a lot of corporate IT works.

    It is also possible to, very painfully, disable (but not uninstall, short of rebuilding the browser) the default certs. When you do that, you realise that only 4-6 of them are needed for pretty much every website you'll ever visit.

    Anyway, TLS is pretty broken as this demonstrates. There is no easy fix, but a recent proposal for PGP based certificates based on a sort of web of trust model shows some promise.

    Lastly, we need people talking more to each other, not less.

    1. doublelayer Silver badge

      Re: Huh?

      You can manually add a CA if you want to, but automatically adding one to every browser in Russia is going to be a lot harder. The average citizen is going to not do that, visit a site that redirects to HTTPS, and get a browser warning.

      "Anyway, TLS is pretty broken as this demonstrates."

      Neither the part I answered nor the rest of your comments demonstrates this. TLS as a protocol doesn't care where the CAs are. It's fine. Even including the issue of CA governance and use, you need to demonstrate why the existing system is flawed; less centralized power might be nice, but it would also eventually weaken the ability to monitor for unsavory behavior and revoke those untrustworthy authorities, something browser-makers frequently do. Requiring every site to issue a key and find lots of others to cosign it will not be done by many sites, putting users at greater risk.

  12. Peter X

    If the Yandex browser is the only one that will recognise the new Putin-certs and the majority of Russians end up using that browser, what if the Yandex browser stops recognising certs issued outside Russia? I can imagine Putin might see that as a good thing since there's even less possibility of "the people" being able to view outside news sources (although that might be blocked anyway?).

    So I'm just wondering if non-Russian sites might do well to support serving traffic over HTTP as well as HTTPS; they might well do anyway... I've not been keeping up!

  13. Anonymous Coward
    Anonymous Coward

    Fake facts

    Having the signing cert in this case an issuer which effectively only signs in the public key of the s server certificate does not and can not compromise the client/server connection security. That just a dump fear mongering. You can argue that man in the middle is possible but only if the browser collaborates with the issuing entity to trust the fake issuer which in turn also could present a fake server certificate. Otherwise how in the hell you will come up with the private key just by being certificate issuer? If you say that the issuer could just generate also the server cert then does not also need to spoof DNS as well. At the end why is not trustible a cert signed by private company and not by govs or public institutions?

    1. Yet Another Anonymous coward Silver badge

      Re: Fake facts

      Honest question from someone whose network admin is limited to wiggling a dodgy bit of cat-5

      My browser has lots of certs included from places that I don't necessarily trust (ie. Belgium),

      That can't change the trust certificates for microsoft.com but they could sign a certificate for "totally-not-a-scam.microsoft-updates.com" and my browser would show a reassuring green padlock and hover-over could even say it was registered to "Microsoft Ltd" if that's what the naughty people had put in their registration.

      Am I understanding this correctly ?

      1. catprog

        Re: Fake facts

        change the DNS to one you control and change the IP address of microsoft.com to a server you control.

        Now you sign the certificate of "Microsofty.com" and the browser thinks it is connecting to the right one.

    2. catprog

      Re: Fake facts

      Who says you need to change the DNS. If you control the routing in the area you can change it so every IP goes through your server.

      As for the root certificate organization being trusted. Do you trust the root certificate organization mentioned in this article(I.e the Russian government)

  14. mbee

    Proproganda Newage style

    This piece is informative until the bottom where is dives into proproganda , anti Russian drivel. Russia has a beef with the present Ukraine government, a beef you can recognize as driving the war or ignore and refight WWI all over again which started from similar small causes. . The 1994 nuclear agreement called for the Ukraine to always be neutral, joining NATO, an organization hostile to Russia is not neutral. Russians have an interest in seeing the Ukraine does not murder any more Russian speakers in the Ukraine who objected to the Obama/Merkel sponsored armed coup of 2014 which ran the elected anti NATO president out at gun point. They want the three break away areas recognized by the Ukraine as separate countries. That is it.

    1. Andre Carneiro

      Re: Proproganda Newage style

      Happy to be proved wrong but I am not aware that there were any provisions in the 1994 Budapest agreement for any of the signatories to "remain neutral"?

      Regardless, though, the annexation of Crimea had already kinda blown that out of the water wouldn't you say?

      1. Anonymous Coward
        Anonymous Coward

        Re: Proproganda Newage style

        > I am not aware that there were any provisions in the 1994 Budapest agreement for any of the signatories to "remain neutral"?

        There weren't any. It was supposed to be a gentleman's agreement and nothing was written, but if you are old enough you will remember that was everyone's understanding at the time (if not, you can look it up). In the early 90s Russia wasn't in a position to press the issue too hard either, plus they just trusted us.

        The problem is that you only get to break your word once as it's worthless after that.

        The US chose a strategy of using NATO to maintain tension with Russia while at the same time preventing Western Europe from pursuing their own independent foreign policy. Whether that would have led to a better outcome we'll never know but it should have been tried anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022