You Should Not Trust Russia’s New “Trusted Root CA”

Last week, Russian citizens began receiving instructions to either download a government-approved web browser, or change their basic browser settings, according to instructions issued by their government’s Ministry of Digital Development and Communications.

On the one hand, these changes may be necessary for Russians to access government services and websites impacted by international sanctions. Nonetheless, it is a worrying development: the Russian state’s stopgap measure to keep its services running also enables spying on Russians, now and in the future.

The Internet governance entities ICANN and RIPE rejected Ukraine’s requests to revoke Russian top-level domains, access to Domain Name System root servers, and its IP addresses. However, international sanctions have heavily impacted Russia’s internet infrastructure. In part, this has happened because Certificate Authorities (CAs), the trusted notaries that underpin data security on the web, have begun refusing orders from domains ending in “.ru”, and have revoked certificates from Russia-based banks. Because international CAs like Digicert and Sectigo have largely stopped working for Russian websites, the Russian government has stepped in and suggested that citizens install its “Russian Trusted Root CA.”

While the capabilities of Russia’s new root certificate authority are not completely clear, the certificate is valid for ten years. It has the capability not just to issue certificates for domains; it can also inspect the traffic of the users who communicate with those domains.

The new “Russian Trusted Root CA” won’t expire for 10 years

Although this new state-sponsored root CA was apparently prompted by the international sanctions against Russia, the Russian government has long shown signs of wanting more control over internet infrastructure. Russia passed a “sovereign internet" censorship law in 2019, and last year the Russian government ran a test to see if it could disconnect from the global internet.

The internet isn’t just transmission lines and data centers. Internet infrastructure also includes technical services like Domain Name System resolvers, CAs, internet gateways, and domain registries. It will be difficult for the Russian state to create entirely domestic, state-controlled versions of all of these services. But the incentives to try are growing. For example, networking hardware manufacturer Cisco recently cut ties with Russian firms in response to the invasion of Ukraine, making it clear that Russia can’t count on Cisco to aid in domestic surveillance and censorship (Ironically, Cisco has had no compunctions about assisting other regimes with censorship, and indeed had a central role in developing the custom technology needed to build China’s “Great Firewall”).

Some version of a self-contained national internet—a so-called “splinternet”—may be described in terms of domestic self-reliance, but it inevitably comes with opportunities for state surveillance. Russia isn’t the first country to try this. In 2019, Kazakhstan attempted dragnet surveillance with its own root certificate. The Iranian state has proposed a bill to control “international gateways,” so the country’s outbound traffic would be directed through an