- This certificates has to be accepted by browsers which most developed by western companies (Like emphasized on the article). So you have to manually add TLS certificate to these browsers. (Which does not sound safe since these service will own by Russian Government)
- Even if they find a solution for this problem. There are many sanction on SWIFT, which will not allow users of this sites to have a purchase.
So is this service is only for their own citizens? If so, why not they just ban other browsers? (We all know how authoritarian and crazy the regime over there. They can kinda do that?)
This national TLC certificate authority not sound so smart. It's like having your own Credit Rating Agency which no body gives a shit about.
This is for Russian websites serving Russian customers, using TLS certificates they had previously sourced from outside of Russia. Because of the sanctions, those websites can't pay to renew their certificates, so this Russian CA offers them domestic-sourced certificates that they can pay for. I'm certain they have no expectation whatsoever that anyone outside of Russia would install this CA certificate; it's not the point of this.
A ban is unnecessary; the websites don't work in other browsers. Switching to a Russian browser or installing the CA certificate will fix the websites. That's what Russian users will do if they want to continue using the websites. You don't need to use the stick when the carrot already exists.
A Certificate authority is someone/group that can create certificates for domains/websites. Anyone can create a certificate authority in 10seconds in cli. For instance it is common for corporations to create their own certificate authority and create certificates for their local intranet corp sites. The problem is that browsers need to trust this certificate authority.
- This certificates has to be accepted by browsers which most developed by western companies (Like emphasized on the article). So you have to manually add TLS certificate to these browsers. (Which does not sound safe since these service will own by Russian Government)
A CA or certs aren't unsafe because of russian government. Certs do 2 things: create an encrypted connection and prove that the website has payed/bribed a CA for a cert. Since Russian sites cannot bribe/pay western companies for a cert and because they are cutting themselves off the internet they (probably) will not be able to access free certs from letencrypt.
The article talks about man in the middle attacks. With a cert a browser can create an encrypted connected between itself and the website. If a person tries to listen in the middle they just get "gibberish" because its encrypted. If the Russian government is acting as the CA it means they have access to the private cert Russian websites are using. They could theoretically change the contents the website sends to the browser because they can create a secure/encrypted connection that is deemed "trusted". They could also modify routes that go to Facebook (because they control the local russian internet/intranet) and instead go to a dummy/fake version. That version could also have a valid & trusted cert issued by the Russian government and says "yes this is facebook".
- Even if they find a solution for this problem. There are many sanction on SWIFT, which will not allow users of this sites to have a purchase.
SWIFT doesn't matter here. If Russia Gov'n or a Russian based company create's a CA and a way to bribe/purchase certs then all is good for Russian websites. Russians just need to have the CA added to their browser or OS.
So is this service is only for their own citizens? If so, why not they just ban other browsers? (We all know how authoritarian and crazy the regime over there. They can kinda do that?)
Browsers aren't the problem, the problem is the centralized "web of trust" used by browsers basically only includes CA from western countries. CA either are so large and used by so many websites that browser must included them as trusted, they bribed the browser maker with money (like Google does with Apple to get google search as default), or CAs come with the OS.
This national TLC certificate authority not sound so smart. It's like having your own Credit Rating Agency which no body gives a shit about.
CA are basically companies that websites/people/corps have to bribe to get a cert trusted by browers. Thanks to letsencrypt we can finally get around the cheapest level of bribes.
- This certificates has to be accepted by browsers which most developed by western companies (Like emphasized on the article). So you have to manually add TLS certificate to these browsers. (Which does not sound safe since these service will own by Russian Government)
- Even if they find a solution for this problem. There are many sanction on SWIFT, which will not allow users of this sites to have a purchase.
So is this service is only for their own citizens? If so, why not they just ban other browsers? (We all know how authoritarian and crazy the regime over there. They can kinda do that?)
This national TLC certificate authority not sound so smart. It's like having your own Credit Rating Agency which no body gives a shit about.
Am I missing something?