The Kremlin reportedly wants to create a state-operated center for issuing SSL certificates
According to a report by the newspaper Kommersant, the Kremlin is considering the creation of a state-operated certification authority, which would issue SSL certificates.
Secure Sockets Layer (SSL) certificates are used to establish an encrypted connection between a browser (your computer) and a server (a website). SSL certificates are small data files that digitally bind a cryptographic key to an organization's details. When installed on a Web server, it activates the padlock and allows secure connections between the server and a browser.
SSL certificates are used by online stores, payment systems, and some government Internet portals, where users upload their personal data.
According to Kommersant, the Kremlin is exploring the possibility of issuing its own certificates, as a means of securing the transmission of such information “in the event of a conflict with Russia's enemies abroad.” The newspaper quotes an anonymous source in Putin's administration saying that officials will meet with developers of operating systems and browsers to discuss a preset Russian certificate. If they can't reach an agreement, the Kremlin intends to pursue “regulatory measures,” Kommersant reports.
Two officials told Kommersant that the company “Crypto-Pro,” which is said to have “close ties” to Russian federal police, is promoting the idea of a government-operated certification authority to grab control of SSL certificates in Russia. Yuri Maslov, Crypto-Pro's commercial director, claims his company didn't lobby the government for a new certification authority, but it has consulted with state officials on the subject, he said.
The “Technical Center of Internet” (TCI) is rumored to be the group that would create the certification authority. TCI is co-owned by the Coordination Center for the Top Level National Domains .RU and .PФ., and the Internet Initiatives Development Fund, which was established at Vladimir Putin's suggestion in 2013.
Alexei Platonov, TCI's general director, estimates that creating and implementing a state-controlled root SSL certificate in major browsers and operating systems would cost roughly 200-300 million rubles ($2.6 million) and take 4–5 years.
“If [foreign certificate authorities] revoke these certificates for some reason, it could jeopardize the secure transfer of data on the RuNet,” a source close to the Kremlin told Kommersant.
The most popular certification authorities throughout the world include Comodo, Symantec, GoDaddy, Geotrust, and others. The root SSL certificates offered by these companies are pre-installed as “trusted” on all the common operating systems and Internet browsers.
There are already several certification authorities based in Russia today, but none of them issues SSL certificates that are pre-installed as trusted on the most popular operating systems and browsers, so users trying to access sites secured with their SSL certificates receive a warning about an unsafe connection, until they manually register the certificate with their computer.
Earlier in February, it was reported that Russia's Ministry of Communications has proposed increasing government control over Internet traffic entering the country. Specifically, officials want to track DNS servers and create a reserve registry of IP addresses, in order to shield the RuNet from connection problems, if foreign servers suddenly become unavailable (accidentally or intentionally). The Domain Name System is what allows Internet Protocol addresses (the complex strings of numbers that identify devices across the Web) to connect. DNS is what allows you to tell your browser to go to “Google.com” instead of “188.8.131.52.”
The Communications Ministry also wants stricter regulations on foreign communication channels and points of traffic exchange, proposing a licensing system for such activities. These measures would supposedly allow the state to offer companies extra protection “in the event of emergencies,” and it would ensure that SORM police-surveillance equipment is installed where required.