Russia – man in the middle attack is possible by the government now

29 points by outcoldman ↗ HN
https://imgur.com/a/hnEPcd8

Just received this email from Russian gov website. It says, that if you want to continue to access some of the russian websites, you need to download a browser, that support them.

https://www.gosuslugi.ru/tls

This website allows you to download root russian CA from, also list of the domain which received already certificates.

-

FYI, I am US Citizen, CO resident, born in Ukraine (USSR) with Russian Citizenship.

6 comments

[ 2.8 ms ] story [ 28.3 ms ] thread
One more update, this website https://news.gosuslugi.ru/ has links to Yandex.Browser on App Store and Google Play, which means this app already has root CA from Russian Government.

Last release notes on those browsers don't say anything about adding root CA.

This seems like an appropriate time to complain that every Apple product comes pre-installed with 172 trusted root certificates [0], and to perhaps reflect on the absurdity of this situation. Why is it necessary for me to trust 172 different entities (not even as a collective, but individually!), and is my only defense against a MITM the hope that Certificate Transparency will catch any violations after they already happened?

[0] https://support.apple.com/en-gb/HT213080

It could be related to recent recall by Thawte of certificates for various Russian banks and government properties.
Devil’s advocate: preventing further disruptions caused by D/DOS attacks on their web based social service infrastructure.
They could simply be preparing for Let's Encrypt or the other for-profit CAs deplatforming them.

Keep the CA in a separate Firefox profile so that it's there if you ever need to access government websites that use it while not being able to MITM on your main profile.

If they’re forcing you a custom browser, they might just as well already include custom certificates in the exe, instead of providing them separately.