Isn't VTB one of the banks subject to sanctions and who have likely had revocations from other CAs?
If so, this may be properly issued at VTB's request? On Thu, Mar 17, 2022 at 2:35 PM Ferdinand Vroom < [email protected]> wrote: > online-alpha.vtb.ru > > 1 s:C = RU, O = The Ministry of Digital Development and Communications, > CN = *Russian Trusted Sub CA* > i:C = RU, O = The Ministry of Digital Development and Communications, > CN = *Russian Trusted Root CA* > > echo | openssl s_client -showcerts -verify_depth 2 -connect > online-alpha.vtb.ru:443 > CONNECTED(00000198) > depth=1 C = RU, O = The Ministry of Digital Development and > Communications, CN = Russian Trusted Sub CA > verify error:num=20:unable to get local issuer certificate > verify return:1 > depth=0 C = RU, ST = St. Petersburg, L = St. Petersburg, O = VTB Bank > (PJSC), OU = IT Department, CN = online-alpha.vtb.ru > verify return:1 > --- > Certificate chain > 0 s:C = RU, ST = St. Petersburg, L = St. Petersburg, O = VTB Bank (PJSC), > OU = IT Department, CN = online-alpha.vtb.ru > i:C = RU, O = The Ministry of Digital Development and Communications, > CN = Russian Trusted Sub CA > a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 > v:NotBefore: Mar 4 14:59:21 2022 GMT; NotAfter: Mar 4 14:59:21 2023 > GMT > -----BEGIN CERTIFICATE----- > MIIGfTCCBGWgAwIBAgIDERAEMA0GCSqGSIb3DQEBCwUAMG8xCzAJBgNVBAYTAlJV > MT8wPQYDVQQKDDZUaGUgTWluaXN0cnkgb2YgRGlnaXRhbCBEZXZlbG9wbWVudCBh > bmQgQ29tbXVuaWNhdGlvbnMxHzAdBgNVBAMMFlJ1c3NpYW4gVHJ1c3RlZCBTdWIg > Q0EwHhcNMjIwMzA0MTQ1OTIxWhcNMjMwMzA0MTQ1OTIxWjCBjzELMAkGA1UEBhMC > UlUxFzAVBgNVBAgTDlN0LiBQZXRlcnNidXJnMRcwFQYDVQQHEw5TdC4gUGV0ZXJz > YnVyZzEYMBYGA1UEChMPVlRCIEJhbmsgKFBKU0MpMRYwFAYDVQQLEw1JVCBEZXBh > cnRtZW50MRwwGgYDVQQDExNvbmxpbmUtYWxwaGEudnRiLnJ1MIIBIjANBgkqhkiG > 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDOK99zY4vwINe8e/ReecM05zh/HeeJqlIT+ > 2xWXJuum2MerARuIXglwFC7RzrUZKOqrm/7VXr02X120TDiRYsncNzbC/COlK+JW > 4ou0QqGj8+9FknprNcdtsOVlHDMwBKO1OOtz9cBeDBo6tQUkby6pwQHUhPMnHQoQ > yJ6SdwtZfZ8E4jkp+wXqCXdtKzeJAfuyZ0O7bdy7sqnV7UeNDNbwtEFtUtJE5Bqw > IKXgL8L/u4e+SpJg2SS/GE2MeVVR+y/rzC2MJs5MpQwDch9lZzshSAYIa22JXSQb > sEuJZ0L2yLsvUNo3udlMLJ3xTVDbmxIC7IsYsIoc63Kn2+7C0QIDAQABo4IB/zCC > AfswHQYDVR0OBBYEFMCAWwE4HUNpBN+TfJeM0LhneCQEMB8GA1UdIwQYMBaAFNHh > cQ0LLYFObopKj0wjs0xeq2kLMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMBMGA1Ud > JQQMMAoGCCsGAQUFBwMBMIHEBggrBgEFBQcBAQSBtzCBtDA6BggrBgEFBQcwAoYu > aHR0cDovL3Jvc3RlbGVjb20ucnUvY2RwL3N1YmNhX3NzbF9yc2EyMDIyLmNydDA6 > BggrBgEFBQcwAoYuaHR0cDovL2NvbXBhbnkucnQucnUvY2RwL3N1YmNhX3NzbF9y > c2EyMDIyLmNydDA6BggrBgEFBQcwAoYuaHR0cDovL3JlZXN0ci1wa2kucnUvY2Rw > L3N1YmNhX3NzbF9yc2EyMDIyLmNydDCBpAYDVR0fBIGcMIGZMIGWoIGToIGQhi5o > dHRwOi8vcm9zdGVsZWNvbS5ydS9jZHAvc3ViY2Ffc3NsX3JzYTIwMjIuY3Jshi5o > dHRwOi8vY29tcGFueS5ydC5ydS9jZHAvc3ViY2Ffc3NsX3JzYTIwMjIuY3Jshi5o > dHRwOi8vcmVlc3RyLXBraS5ydS9jZHAvc3ViY2Ffc3NsX3JzYTIwMjIuY3JsMB4G > A1UdEQQXMBWCE29ubGluZS1hbHBoYS52dGIucnUwDQYJKoZIhvcNAQELBQADggIB > AC2vO+1k4mhFFhuSZ6BCvV+fwJ27OBbutuGiofV4MVPLcN5tj3Dv0uKfbimc5CGT > UEg5kjxNRE2ivH8ahezT47jSB7CrGNV03ePl2mmY0l3GCQAnxEVZ35Ltd8NfXio6 > 6edCRwxDoBm3qazxPpcjNhsZ7TV2w6kZ00CdcF+CpEhplN5TnhUlQDzXfJaBnvGm > bekkAZw9YKyTrZ7/8yaEHPGVkzZ/OD+wUkPNdB317sy+OcEud93vejK5Fh+WE3Gt > aL4WTK5qrvl2/zzhPdsO23AY3Uum4d+7wMIOzbjdFxCA1hGn3v7gSqw5FHjt93Gz > HYzgZepoE5cPYUeRF3ZXwACEnia7DGutWIDLiwzJpCZj6Ty1I+hP4ehNKiapfIE6 > MpkswtMfx4J/79iILswxC064eqikY+z7VNyhijvfeINa0LhCt2YmLMksyPO8yIpx > Xr0hXBCDeas4taS2BAcWFtpcBNe7idZJueczeiaUVsUNJkc79T9w379HUU3VscV6 > YC6MZ6VScSABSzBoXJwh8auNf2P2YXMgmfUwLQk2hqjJmlGVHbmv7gsGE4p9Q3lX > WCdOzvUwVJzzd/o+1RtqWDBP2J/bEysj+UA3VVXVWS76wT2orYeLUqzap7OI9NuP > z4oqVOqQD51YWeIJTRdiP0T/dTJldhJTbMMIjlnB+8lN > -----END CERTIFICATE----- > 1 s:C = RU, O = The Ministry of Digital Development and Communications, > CN = Russian Trusted Sub CA > i:C = RU, O = The Ministry of Digital Development and Communications, > CN = Russian Trusted Root CA > a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256 > v:NotBefore: Mar 2 11:25:19 2022 GMT; NotAfter: Mar 6 11:25:19 2027 > GMT > -----BEGIN CERTIFICATE----- > MIIHQjCCBSqgAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCUlUx > PzA9BgNVBAoMNlRoZSBNaW5pc3RyeSBvZiBEaWdpdGFsIERldmVsb3BtZW50IGFu > ZCBDb21tdW5pY2F0aW9uczEgMB4GA1UEAwwXUnVzc2lhbiBUcnVzdGVkIFJvb3Qg > Q0EwHhcNMjIwMzAyMTEyNTE5WhcNMjcwMzA2MTEyNTE5WjBvMQswCQYDVQQGEwJS > VTE/MD0GA1UECgw2VGhlIE1pbmlzdHJ5IG9mIERpZ2l0YWwgRGV2ZWxvcG1lbnQg > YW5kIENvbW11bmljYXRpb25zMR8wHQYDVQQDDBZSdXNzaWFuIFRydXN0ZWQgU3Vi > IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9YPqBKOk19NFymrE > wehzrhBEgT2atLezpduB24mQ7CiOa/HVpFCDRZzdxqlh8drku408/tTmWzlNH/br > HuQhZ/miWKOf35lpKzjyBd6TPM23uAfJvEOQ2/dnKGGJbsUo1/udKSvxQwVHpVv3 > S80OlluKfhWPDEXQpgyFqIzPoxIQTLZ0deirZwMVHarZ5u8HqHetRuAtmO2ZDGQn > vVOJYAjls+Hiueq7Lj7Oce7CQsTwVZeP+XQx28PAaEZ3y6sQEt6rL06ddpSdoTMp > BnCqTbxW+eWMyjkIn6t9GBtUV45yB1EkHNnj2Ex4GwCiN9T84QQjKSr+8f0psGrZ > vPbCbQAwNFJjisLixnjlGPLKa5vOmNwIh/LAyUW5DjpkCx004LPDuqPpFsKXNKpa > L2Dm6uc0x4Jo5m+gUTVORB6hOSzWnWDj2GWfomLzzyjG81DRGFBpco/O93zecsIN > 3SL2Ysjpq1zdoS01CMYxie//9zWvYwzI25/OZigtnpCIrcd2j1Y6dMUFQAzAtHE+ > qsXflSL8HIS+IJEFIQobLlYhHkoE3avgNx5jlu+OLYe0dF0Ykx1PGNjbwqvTX37R > Cn32NMjlotW2QcGEZhDKj+3urZizp5xdTPZitA+aEjZM/Ni71VOdiOP0igbw6asZ > 2fxdozZ1TnSSYNYvNATwthNmZysCAwEAAaOCAeUwggHhMBIGA1UdEwEB/wQIMAYB > Af8CAQAwDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQWBBTR4XENCy2BTm6KSo9MI7NM > XqtpCzAfBgNVHSMEGDAWgBTh0YHlzlpfBKrS6badZrHF+qwshzCBxwYIKwYBBQUH > AQEEgbowgbcwOwYIKwYBBQUHMAKGL2h0dHA6Ly9yb3N0ZWxlY29tLnJ1L2NkcC9y > b290Y2Ffc3NsX3JzYTIwMjIuY3J0MDsGCCsGAQUFBzAChi9odHRwOi8vY29tcGFu > eS5ydC5ydS9jZHAvcm9vdGNhX3NzbF9yc2EyMDIyLmNydDA7BggrBgEFBQcwAoYv > aHR0cDovL3JlZXN0ci1wa2kucnUvY2RwL3Jvb3RjYV9zc2xfcnNhMjAyMi5jcnQw > gbAGA1UdHwSBqDCBpTA1oDOgMYYvaHR0cDovL3Jvc3RlbGVjb20ucnUvY2RwL3Jv > b3RjYV9zc2xfcnNhMjAyMi5jcmwwNaAzoDGGL2h0dHA6Ly9jb21wYW55LnJ0LnJ1 > L2NkcC9yb290Y2Ffc3NsX3JzYTIwMjIuY3JsMDWgM6Axhi9odHRwOi8vcmVlc3Ry > LXBraS5ydS9jZHAvcm9vdGNhX3NzbF9yc2EyMDIyLmNybDANBgkqhkiG9w0BAQsF > AAOCAgEARBVzZls79AdiSCpar15dA5Hr/rrT4WbrOfzlpI+xrLeRPrUG6eUWIW4v > Sui1yx3iqGLCjPcKb+HOTwoRMbI6ytP/ndp3TlYua2advYBEhSvjs+4vDZNwXr/D > anbwIWdurZmViQRBDFebpkvnIvru/RpWud/5r624Wp8voZMRtj/cm6aI9LtvBfT9 > cfzhOaexI/99c14dyiuk1+6QhdwKaCRTc1mdfNQmnfWNRbfWhWBlK3h4GGE9JK33 > Gk8ZS8DMrkdAh0xby4xAQ/mSWAfWrBmfzlOqGyoB1U47WTOeqNbWkkoAP2ys94+s > Jg4NTkiDVtXRF6nr6fYi0bSOvOFg0IQrMXO2Y8gyg9ARdPJwKtvWX8VPADCYMiWH > h4n8bZokIrImVKLDQKHY4jCsND2HHdJfnrdL2YJw1qFskNO4cSNmZydw0Wkgjv9k > F+KxqrDKlB8MZu2Hclph6v/CZ0fQ9YuE8/lsHZ0Qc2HyiSMnvjgK5fDc3TD4fa8F > E8gMNurM+kV8PT8LNIM+4Zs+LKEV8nqRWBaxkIVJGekkVKO8xDBOG/aN62AZKHOe > GcyIdu7yNMMRihGVZCYr8rYiJoKiOzDqOkPkLOPdhtVlgnhowzHDxMHND/E2WA5p > ZHuNM/m0TXt2wTTPL7JH2YC0gPz/BvvSzjksgzU5rLbRyUKQkgU= > -----END CERTIFICATE----- > --- > Server certificate > subject=C = RU, ST = St. Petersburg, L = St. Petersburg, O = VTB Bank > (PJSC), OU = IT Department, CN = online-alpha.vtb.ru > issuer=C = RU, O = The Ministry of Digital Development and Communications, > CN = Russian Trusted Sub CA > --- > No client certificate CA names sent > Peer signing digest: SHA256 > Peer signature type: RSA > Server Temp Key: ECDH, prime256v1, 256 bits > --- > SSL handshake has read 4043 bytes and written 451 bytes > Verification error: unable to get local issuer certificate > --- > New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES128-GCM-SHA256 > Session-ID: > 92C894E2E60D09C67B901CB44D55B04285E17D6A23E8004358AF3F991EE5005F > Session-ID-ctx: > Master-Key: > 084CA49C3821CFA73463E83DCCDE3DEB4CF0BA51795E6368C7BE8EC8CB8AD9E66B04F2C8D74A43AF570005F1AE4B75B5 > PSK identity: None > PSK identity hint: None > SRP username: None > Start Time: 1647544075 > Timeout : 7200 (sec) > Verify return code: 20 (unable to get local issuer certificate) > Extended master secret: yes > --- > DONE > > Op vrijdag 11 maart 2022 om 02:16:56 UTC+1 schreef ValdikSS ValdikSS: > >> I won't rule out the possibility of this CA to be used for MiTM some day, >> but you should be aware that Thawte has revoked the certificates issued for >> the sanctioned banks, and more likely it's just a second option/last resort >> PKI chain for a "doomsday". >> >> For example, VTB: >> https://crt.sh/?id=5828347935 >> https://crt.sh/?id=6218871547 >> https://crt.sh/?identity=vtb.ru&iCAID=62131 (all of them) >> >> Promsvyazbank: >> https://crt.sh/?id=4582341817 >> https://crt.sh/?id=2713661323 >> https://crt.sh/?q=psbank.ru&iCAID=62131 (all of them) >> >> The Central Bank of Russia (Centrobank): >> https://crt.sh/?id=2355590937 >> >> Such development is understandable in the current situation when many >> foreign services and even transit ISPs don't want to continue the service, >> but I doubt they will try to break the internet with MiTM such blatantly: >> the blocks of "offending" websites are more likely, as we've seen for years. >> >> On Thursday, March 10, 2022 at 11:26:28 PM UTC+3 [email protected] wrote: >> >>> There's certainly a history of Russia insisting on at least DNS and/or >>> TLS SNI transparency. >>> >>> For example, Russia once banned access to all Amazon AWS IP space and a >>> lot of Google space because these services were permitting "domain >>> fronting", in which intentionally presenting a Host: header different from >>> the requested SNI name was being accepted and the request was proceeding >>> per the Host label. >>> >>> Not being able to track what sites Russian users were visiting, even >>> without seeing the content, was apparently a red line even back in 2018. >>> >>> With the various sanctions involved, I can see why Russia would respond >>> this way. Someone has to issue certs for their sites, after all, and many >>> CAs are now unable to. >>> >>> Is there any reason to believe that browsers responding to this root >>> won't just lead to mandatory Russian browsers? >>> >>> On Thu, Mar 10, 2022 at 2:02 PM MCC CS <[email protected]> wrote: >>> >>>> Dear all, >>>> >>>> I hope this is the correct place to start this discussion. >>>> >>>> Today it was reported that ( >>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1758773) >>>> Russia is distributing a Root CA (https://crt.sh/?id=6316640888), >>>> which according to one user, >>>> an ISP said it was mandatory. The certificate can be downloaded from >>>> the third button on https://www.gosuslugi.ru/tls >>>> Although at present there's no MitM, it's likely that government >>>> websites >>>> will start using this and once adoption is high enough Russia will >>>> perhaps start MitM. >>>> >>>> Considering that the ISP was told it was mandatory, the certificate is >>>> worth urgent consideration. >>>> >>>> An option we can consider is to allow the certificate for only the >>>> websites linked on gosuslugi.ru >>>> Because of retaliation, Russia might be seen correct to reduce their >>>> reliance on Western certs. >>>> To minimize the damage on Russian users, by allowing the root >>>> certificate for only the listed websites OR for >>>> all .ru domains, the risk of MitM will be negated and the given reason >>>> of "reducing reliance on Western certs" >>>> will be resolved. If the certificate is blocked completely, >>>> Russia-based users could be harmed further, >>>> as they would have to follow the government against interventions of >>>> Mozilla et al, who are vulnerable >>>> to name-and-shame in case if certificates currently used by RU >>>> companies are revoked. >>>> >>>> I decided to start this thread to accelerate the examination of this >>>> certificate. Many thanks >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/trinity-9d689c1a-13b1-4c2a-8eaa-a59ae6cdeb2e-1646941533378%403c-app-mailcom-bs15 >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAPAx59GYFq6g8MKjkGmDTXTw8fqUaOCieJt4Bw9VZUJnufaehg%40mail.gmail.com.
