Certificates ban for Russian government websites following the WAR in Ukraine

Hi there,

As you know, signing authorities based on countries that have imposed sanctions on Russia can no longer accept payments for their services, leaving many sites with no practical means to renew expiring certificates. Among them are many government websites. In response, Russia has created its own TLS CA which is trusted by at least Yandex browser with market share of around 16%. Not only this step makes possible to overcome those sanctions, but also to abuse Root CA and perform HTTPS traffic interception (MiTM attack).

As an alternative, Russian websites can install Let's Encrypt certificates, renew them frequently and stay online.

Are there any plans to ban Russian websites (at least government owned) on Let's Encrypt?

9 Likes

This has been discussed at length on this community

The recap is, if you are not on the SDN list you won't get blocked. (So, most government and government-adjacent websites will be refused issuance)

As for private websites, it's good that they can have an actual certificate and can avoid asking their users to install that joke of a root certificate which can then be used to MITM them on any website.

6 Likes

Hi 9pepe,

Thanks for the reply. It would be better if I read more carefully across recent threads instead of posting a duplicate question here. Sorry for inconvenience.

At the same time, for any website asking their users to install "trusted certificates" has low success rate. It's not only about what Russian authorities can do to trick their citizens, it's also about what civilized world is ready to do for victims of ongoing aggression. I agree, that all the actions should follow existing rules, however it really makes sense to review these rules and adjust them according to real threats as soon as possible.

1 Like

It's about who we are thinking about.

Let's Encrypt's aim is ubiquitous TLS encryption, and that's not for the server administrators, it's for their users.

So if government propaganda websites find themselves without a certificate while personal blogs still have valid ones, that's good.

And also, think about how an action like this will influence the current conflict (hint: not much, maybe not at all).

5 Likes

The rationales against actions such as revoking certificates and banning service has been discussed in this forum extensively in the past - especially over the past two weeks, and within the context of the current war. I suggest you educate yourself on the matter by searching this forum and reading the relevant topics.

4 Likes

All such arguments--in the threads @9peppe linked to making identical requests, and in the dozens (if not hundreds) of past threads about scam or otherwise illegal websites using Let's Encrypt certs--depend on the same incorrect assumption: that a TLS certificate in some way validates the bona fides of a website operator. It doesn't, it can't, and it never has. The cert validates only that the server you're communicating with has demonstrated control over the domain name you're using to communicate with it. As someone put it, the cert verifies that you're communicating privately, but you could be communicating privately with Satan.

And given that, the asserted fact that bad people are using certs from Let's Encrypt is really, well, meaningless. That isn't a new threat. It isn't a surprising threat. It isn't really a threat at all. It's something LE knew when they built their service, and chose, with the concurrence of the CA/Browser forum, to accept.

4 Likes

So if government propaganda websites find themselves without a certificate while personal blogs still have valid ones, that's good.

Agree on this. Thank you.

2 Likes

I suggest you educate yourself on the matter by searching this forum and reading the relevant topics.

I already did. @9peppe kindly provided useful links as well as short recap.

Thank you.

3 Likes

I definitely understand what TLS certificates are used for. At the same time, your explanation makes it clear for someone who doesn't.

Thank you, really appreciate it.

3 Likes

Hi,

De-facto Letsncrypt can and will be used to avoid sanctions.
Till Letsencrypt supports russian and belarussian regions/domains - you support killing innocent people.
Please restrict this regions/domains in order to stop war and deaths.

Regards,
Kharyton

I'm glad you joined to post the same misunderstanding that hundreds of others before you have posted. The CA validates only domain control, and should not exercise any editorial control over the domains they certify beyond what's legally required.

5 Likes

I'm glad that you post the same misunderstanding that hundreds of others before you have posted.
But russian with belarussian support bombs are killing hundreds of people EACH DAY.
If company doesn't want to be biggest russia ally in this war of certificate issuing front, it should make an action.
Thanks for your attention.

Please search the forum. Certificates benefit internet users a lot more than internet website operators.

And the main threat right now is the Russian governmental CA, from this point of view. Each user that doesn't install its root certificate is a win in my book.

And please know that government and government-adjacent websites are banned already.

3 Likes

It is not government, who are killing my people. It is ordinary russians, who coming here to burn, rape and kill. They are internet users. You want benefits for occupation army. I'm against exactly it.

Thanks for your attention.

What do you mean "ordinary Russians"? I thought it was their army.

We are mesmerized every time an Ukrainian farmer steals a tank using their tractor and posts a video online, but that has nothing to do with TLS certificates.

The question is another: do you want the Russian government to be able to intercept and attack any TLS connection inside the country? (And potentially, the world?)

If you don't want that, Russian private websites need a way to obtain a certificate that does not rely on the Russian govt. And their users need to steer clear of the govt CA.

4 Likes

That what I mean by ordinary russians.
They already have a legislation to install root certificate into browser. So that is ALREADY happening.

So right now you basically fighting for ability for russia government*/people to avoid sanctions using Letsencrypt services.

*I've read that gov sites banned, but they will create clones, aliases.

And clones, aliases will be banned as well.

23% opposed is a lot, when opposing can be the difference between life and prison/death.

You do realise that Russia is a totalitarian state and their media are under govt control, right? I explain the 58% that way.

4 Likes

Thanks for advocating war, but I want to hear actual position of the company.

No. We're arguing for the ability for everybody to communicate privately on the internet, which is all a certificate means or has ever meant. The cert does not, and cannot, in any way validate the bona fides of the certificate holder. It is not the role of the CA to do so, and they should not make it their role.

Even if the unanimous story we're hearing in the west (to wit, that Putin is Satan incarnate, and Ukraine is as pure as the driven snow) is true, certs should be issued to anyone who can demonstrate control over the domain(s) in question. Period.

3 Likes

If you'd read the topics linked above, you'd already know that.

4 Likes