Testing of Russian SSL certificates begins on the website of public services

The Russian authorities are taking steps to cure "certificate dependence" on Western countries - and are introducing their own encryption system for HTTPS traffic.

The plans to create a Russian certification authority (CA) for issuing SSL certificates became known last year . Then it was reported that the presidential administration is discussing how to further secure the transfer of data on the Internet in the event of a conflict with foreign partners. At the same time, experts suggested: the first Russian SSL certificates will be installed on the website of state services and other state portals, and for mass use of SSL certificates of the Russian CA, the main manufacturers of operating systems and browsers - Microsoft, Google, Yandex and others - may require preinstall a special root certificate in your products.

Now the implementation of the plan has begun, Russian Presidential Adviser German Klimenko told Izvestia.

Pilot tests of Russian SSL certificates will be conducted on the public services portal and project sites of the national search system “Sputnik”. Then it is planned to connect "sites where there is personal data, financial transactions and legal information." The Russian SSL is implemented by the Ministry of Communications, Rostelecom (co-owner of the Sputnik system) and leading Russian developers of cryptographic equipment, including the company Crypto-Pro, which is called closely related to the FSB. The company's management claims that about a third of the company's employees used to work in the FSB.
')
A long-time champion of the introduction of Russian SSL certificates is Ilya Massuh, director of the Center for Competence on Import Substitution in the Field of Information and Communication Technologies. He explains what the danger of using foreign certificates is: “The main danger is that the certificate can be revoked, and this can be done by the organization that issues it. Once it is revoked, the connection is no longer encrypted and secure. Russian traffic can be decrypted. ”

But some independent experts see the situation with the exact opposite. It is after the introduction of Russian certificates that state authorities will be able to decode traffic, in accordance with the law of Spring. With foreign SSL certificates, state bodies cannot obtain encryption keys, and this is unacceptable. Those who are engaged in wiretapping cannot help but be depressed by the fact that the number of sites using SSL certificates in Russian domain zones is growing rapidly. In July 2015, there were 109 thousand such resources in the .ru zone, in July 2016 - 189 thousand, and in July 2017 - 531 thousand.

Ilya Massuh noted that Russia has its own encryption school, but despite this, it has become a “certificate-dependent” country. The problem needs to be urgently addressed.

The Russian encryption standard is already actively used in electronic-digital signatures. They are issued by certification centers that have received a license from the FSB. Now Russian encryption keys will be implemented for the HTTPS protocol:

“Our encryption protocol is more reliable and faster than a foreign one,” emphasizes the head of the Netoscope project, Pavel Khramtsov.

According to Khramtsov, today domestic certificates are supported by the Sputnik browser and all browsers compiled in open source. There is a special module for Mozilla Firefox. “The work of the Russian certificate will not create difficulties for users,” said the head of the Sputnik project, Maxim Khromov. - If the browser supports domestic encryption, it will be used. Otherwise there will be a connection through foreign SSL certificates. ” Probably, according to this scheme in the future all browsers should work, the use of which will allow in Russia.

“For these purposes, it is planned to make changes to 8 FZs (“ On providing access to information on the activities of state bodies ... ”). As a result, if the user opens, for example, the portal of public services in the Chrome browser, he will receive a message stating that to use this website he should install a certain version of “Sputnik” or “Yandex Browser”, ”said Ilya Massuh, who also heads the Internet + Sovereignty sub-working group during the presidential administration.

The search engine "Sputnik" created a trusted version of your browser using Russian encryption algorithms from the company "Crypto-Pro" in the spring of 2016 . At the same time, it was reported that Yandex was also working on a similar project, although it was refuted by the company. However, in May 2016, Ilya Massukh said that Sputnik and Yandex developed beta versions of their browsers using Russian encryption algorithms. This information was then confirmed by the commercial director of Crypto-Pro, Yuri Maslov. He said that the company provided its “CryptoPRO CSP” utility on a non-commercial basis to “Sputnik” and “Yandex”, which is used to encrypt and imitate data, ensure the integrity and authenticity of information: “At Sputnik, as far as I know, this version of the browser ready and already demonstrated, Yandex is still in the process. ”

According to the general director of the Internet Technical Center (TCI) Alexey Platonov, the cost of deploying CAs with the implementation of root certificate support into main browsers and operating systems will be only 200-300 million rubles. and it will take four to five years. According to the interlocutor of the Kommersant newspaper, close to the presidential administration, the pre-installation of the Russian certificate will be decided at negotiations with the OS and browser development companies and, if they do not meet, "legislative regulation".