There's certainly a history of Russia insisting on at least DNS and/or TLS SNI transparency.
For example, Russia once banned access to all Amazon AWS IP space and a lot of Google space because these services were permitting "domain fronting", in which intentionally presenting a Host: header different from the requested SNI name was being accepted and the request was proceeding per the Host label. Not being able to track what sites Russian users were visiting, even without seeing the content, was apparently a red line even back in 2018. With the various sanctions involved, I can see why Russia would respond this way. Someone has to issue certs for their sites, after all, and many CAs are now unable to. Is there any reason to believe that browsers responding to this root won't just lead to mandatory Russian browsers? On Thu, Mar 10, 2022 at 2:02 PM MCC CS <[email protected]> wrote: > Dear all, > > I hope this is the correct place to start this discussion. > > Today it was reported that ( > https://bugzilla.mozilla.org/show_bug.cgi?id=1758773) > Russia is distributing a Root CA (https://crt.sh/?id=6316640888), which > according to one user, > an ISP said it was mandatory. The certificate can be downloaded from the > third button on https://www.gosuslugi.ru/tls > Although at present there's no MitM, it's likely that government websites > will start using this and once adoption is high enough Russia will perhaps > start MitM. > > Considering that the ISP was told it was mandatory, the certificate is > worth urgent consideration. > > An option we can consider is to allow the certificate for only the > websites linked on gosuslugi.ru > Because of retaliation, Russia might be seen correct to reduce their > reliance on Western certs. > To minimize the damage on Russian users, by allowing the root certificate > for only the listed websites OR for > all .ru domains, the risk of MitM will be negated and the given reason of > "reducing reliance on Western certs" > will be resolved. If the certificate is blocked completely, Russia-based > users could be harmed further, > as they would have to follow the government against interventions of > Mozilla et al, who are vulnerable > to name-and-shame in case if certificates currently used by RU companies > are revoked. > > I decided to start this thread to accelerate the examination of this > certificate. Many thanks > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/trinity-9d689c1a-13b1-4c2a-8eaa-a59ae6cdeb2e-1646941533378%403c-app-mailcom-bs15 > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59F4unp07B-ze3S%3Dc4A-MBQ2UTAyB4kzWDM%3DjwmwM%3DErOA%40mail.gmail.com.
