The use of Russian CA Certificates in mobile devices raises digital security concerns

February 16, 2024

Gadgets released for the CIS market over the past 18 months, might ship with Russian CA Certificates. These certificates could potentially grant Russian authorities access to your private communications, posing a significant threat to your privacy and security.

What happened?

Since early 2022, Russian authorities have been promoting the use of “national certificates” (CA Certificates) for website security within the country. This transition is expected to accelerate in 2024, potentially impacting online payments and website accessibility.

The adoption of Russian “national certificates” raises security concerns for some users. Experts highlight potential vulnerabilities such as access to sensitive data (“national certificates” could grant unauthorized access to emails, government services, and even bank accounts), and device control (attackers could potentially leverage access to exploit functionalities for malicious purposes).

What is the CA Certificate?

Think of them as security checks for websites. They verify that the connection between you and a website is encrypted, protecting your data from being intercepted and tampered with. Encryption essentially scrambles the information, making it unreadable to anyone without the decryption key.

Various independent and trusted organizations issue CA Certificates globally as digital security underwriters with established guidelines and rigorous vetting processes.

Russia has implemented its own system using national CA Certificates. However, some within the international IT community express concerns about this approach. The main point of contention revolves around the perceived lack of independence of these national CA Certificates from the Russian government. This raises questions about their potential vulnerability to influence or control, which could compromise the security and privacy of users relying on them.

The presence of an CA Certificate confirms the website’s identity, and it qualitatively encrypts the data that is exchanged between the user and the server (such encryption does not allow to get hold of the user’s personal and banking data).

While visiting websites, browsers like Chrome, Edge, Opera, and Safari check for a CA Certificate. This certificate plays a crucial role in online security for verifying website identity (ensuring you’re connecting to the legitimate website and not a fake one trying to steal your information – phishing), and encrypting data (making the information you send and receive from the website unreadable to anyone intercepting it, protecting your privacy and securing sensitive data like passwords or credit card numbers).

What is happening in Russia?

The use of foreign security certificates for Russian websites has seen changes since the spring of 2022. Following the large-scale Russian invasion of Ukraine, some foreign companies involved in issuing security certificates began implementing restrictions or adjustments for Russian websites. The full scope and impact of these changes are still evolving.

The Russian authorities decided to take advantage of the situation, and the Ministry of Digital Development, Communications and Mass Communication of that country began to impose its own Internet security certifications in Russia.

Now, in order to use the online services of various Russian companies – banks, delivery organizations, government agencies and other types of private enterprises, the user must either install the “national certificate” of Internet security on his gadget or use the Russian Yandex, Atom browsers, where the Ministry’s certificates are already embedded by default. Technically, the process is being carried out by the Russian state-controlled Rostelecom company (almost half of the shares belong to the Russian government) in accordance with the contract signed with the Ministry.

What is the problem?

Concerns exist within the international IT community regarding the trustworthiness of the Russian center issuing internet security certificates. This contrasts with the claims made by the Russian Ministry of Digital Development, Communications and Mass Media, which assures users that local certificates guarantee safe website use.

Since 2022, some major Russian companies, primarily state-owned, including banks like Sberbank and VTB, have implemented a requirement for users to access their online services using certificates issued by Rostelecom or through specific browsers like Yandex and Atom pre-installed with these certificates. Otherwise, you will not be able to use the online services.

Digital security experts raise concerns about potential risks associated with using Russian national certificates or browsers like Yandex and Atom. Using these options could theoretically grant Russian authorities greater access to data exchanged between users and websites. This raises concerns about privacy and potential misuse of such information. The technical specifications and procedures behind these certificates and browsers might lack the transparency and independent oversight present in international standards, adding uncertainty about their security effectiveness.

Back to Armenia

It is true that many Android devices sold in Armenia, particularly those intended for the CIS market, come pre-installed with browsers like Yandex. This is not unique to Armenia and reflects a similar trend across the CIS region. Manufacturers typically configure devices for different markets based on various factors, including local consumer preferences, technical requirements, and safety regulations. The CIS region, with Russia as a dominant market, plays a significant role in these considerations.

Our conversations with representatives of two major Armenian smartphone and tablet importers suggest many consumers buy devices pre-loaded with software catered to the CIS market. This includes features like a Russian interface, which remains preferred by some Armenians compared to English.

How to be protected?

Of course, the best option is to refuse Russian “national certificates” or Yandex and Atom browsers.

But if you must deal with the services provided by the online platforms of Russian government agencies or with, for example, VTB Bank (by the way, the Armenian branch of VTB, VTB-Armenia Bank does not have such a requirement, and you can use the bank’s online services using Chrome, Edge, Opera, Safari, Firefox browsers), perhaps it will be right to keep a second smartphone for this purpose, which is not usually with you and can often be turned off.

If you don’t have a second smartphone, you can use the virtual device for the computer, the creation of which is detailed here and here.

Use a reliable VPN, and the data you exchange would be encrypted by the VPN, and in order to get to your information, the bad guys must first “crack” the VPN encryption.

Depending on your specific device and operating system, you might be able to locate and manage any installed internet security certificates, including those issued by “Russian Trusted Root CA.” The process for doing so usually involves accessing the “Settings” section on your device and searching for options related to “certificates,” or “trusted certificates.”

Finally, keeping your software updated helps protect your device from security vulnerabilities and ensures you have access to the latest features and improvements.

This article draws on information and insights from a publication by Холод.