Russia’s Digital Development Ministry wants to ban the latest encryption technologies from the RuNet

Russia’s Ministry of Digital Development, Communications, and Mass Media wants to ban websites from using the latest encryption technologies, to make it easier for Russia’s federal censor, Roskomnadzor, to block access to RuNet resources containing prohibited content. Experts point out that a number of large Internet companies, including the Russian Internet giant Yandex, currently rely on these technologies — and underscore that this new initiative could lead to another mass block of IP addresses belonging to major providers like Amazon Web Services and Cloudflare, the hosts behind many sites.

Russia’s Digital Development Ministry has published a draft law for public comment, which “bans the use of encryption protocols allowing for hiding the name (identifier) of a web page or Internet site on the territory of the Russian Federation.” The bill would allow for sites that violate the ban to be blocked within one working day of the violation being identified, it says. 

An explanatory note clarifies that the draft law refers to protocols that use the cryptographic algorithms and encryption methods TLS 1.3, ESNI, DNS over HTTPS, and DNS over TLS, which are “becoming increasingly common.”

“The use of the algorithms and encryption methods listed has the capacity to reduce the effectiveness of using existing filtration systems [for Internet traffic], which, in turn, significantly complicates the identification of resources available on the Internet, which contain information that is restricted or prohibited for distribution in the Russian Federation,” the document says.

“Once upon a time, all of the addresses of sites and pages on the Internet were transmitted in plain text, not encrypted, so when the Roskomnadzor blocking system [first] began working in Russia, it was assumed that the filter would work according to URL, that is, the addresses of individual pages on Internet sites,” explains encryption systems developer Dmitry Belyavsky. “However, one year after [its] implementation, largely under the influence of Edward Snowden’s revelations, the whole world began rapidly switching to using HTTPS — a protocol that provides encryption between the site and the user’s device. For this reason, it’s impossible to block the individual pages of sites that are using HTTPS according to URL.” 

As a result, according to Belyavsky, the time came for blocking according to “hostname” — the name of the server where the site is located, — which needs to be “turned off,” since the hostname is still transmitted in plain text to establish a connection. “However, a hostname being publicly available also frames the users in some respects and gives out the site in more ways than one. But people in the West are used to thinking that companies don’t care about their confidentiality. Therefore, technologies are now being developed and implemented, [like] DNS over TLS, DNS over HTTPS, and Encrypted Client Hello, which also hide the hostname from an external observer, thereby making it more difficult to find out which sites the user is visiting, and [complicating] the procedure for blocking any Internet sites.”

These technologies are now being implemented actively on the Internet, many sites hosted by major foreign providers are starting to use them. For example, Google is gradually introducing support for DNS over HTTPS in its browser, Chrome, while Mozilla is gradually developing support for this protocol in its Firefox browser by default. 

In Russia, the servers DNS over TLS and DNS over HTTPS “emerged” at Yandex, says Belyavsky. “According to this draft law, all of the sites that use them will be outlawed in Russia and will have to be blocked. And since it’s impossible to block just them, they will block entire subnets of hosting providers just because of the use of these technologies. That is, Roskomnadzor will block the entire IP address range for Amazon Web Services, Digital Ocean, and Cloudflare again, the way it was when the department tried to block Telegram in Russia several years ago. As a result, the users will suffer once again,” he says, in sum.

In April–May 2018, when Roskomnadzor had just started trying to block the messaging app Telegram, it ordered a block of several million IP addresses belonging to Amazon Web Services, Google, and Digital Ocean, which caused problems accessing many other services hosted by these providers.

In an explanatory note, the bill’s authors from the Digital Development Ministry add that the department’s Unified Registry of Russian Software “contains information about protocols using cryptographic algorithms and encryption methods that can be used in accordance with the Russian Federation’s legislation.” In other words, according to them, there are alternative technologies for encryption available in Russia, which won’t interfere with Internet blocks. 

In addition, the “Voskhod” Research Institute (which is subordinated to the Digital Development Ministry) is creating a certification center in Russia, which intends to issue SSL certificates for encrypting connections on sites using the Russian crypto algorithms “Magma” and “Kuznechik.” 

Filipp Kulin, the former co-owner of the hosting provider “Diphost,” notes that the Russian authorities have wanted to replace foreign encryption protocols on the RuNet with domestic ones for a long time, but there’s an obstacle — the majority of operating systems and browsers don’t work with Russian cryptographic algorithms.