Russia is offering its own Transport Layer Security (TLS) certificates to bypass sanctions imposed by Western companies and governments that are limiting citizens\u2019 access to websites amid the nation\u2019s invasion of Ukraine. Restrictions on foreign payments are leaving many Russian websites unable to renew certificates with international signing authorities causing browsers to block access to sites. As a result, the Russian state has launched a domestic TLS certificate authority (CA) for the independent issuing and renewal of TLS certificates. The risks of Russian-owned and -issued TLS certificates are significant and include traffic interception and man-in-the-middle (MitM) attacks.Russian certs replace revoked or expired foreign certsTLS certificates \u2013 most known as SSL or digital certificates \u2013 secure internet connections by encrypting data sent between browsers, websites and servers. When a certificate expires, web browsers such Google Chrome, Safari and Mozilla Firefox warn that a page may be insecure, which can drive users away.According to a Russian public-service announcement, the state will replace foreign security certificates that are revoked or expire free-of-charge upon request. \u201cThe security certificate is designed to authenticate the site on the internet when establishing a secure connection,\u201d it added. Widely used browsers like Chrome and Firefox are yet to recognize the state-supplied certificates as trustworthy with Russians advised to use Russian-based alternatives. Russian media has circulated a list of almost 200 domains that have reportedly been told to use the domestic TLS certificate, although it is not currently mandatory.Security risks posed by Russian-issued TLS certsThe threats posed by the advent of Russia\u2019s state-provided certificates are significant for Russian users. \u201cWith the major certificate authorities revoking or simply not renewing the certificates for Russian businesses, they are left in a difficult position,\u201d Mike Parkin, researcher and senior technical engineer at Vulcan Cyber, tells CSO. \u201cWhile it\u2019s unlikely that the major browsers will ever accept the new Russian CA, it may be a problem for those users in Russia. They will have to rely on their CA, which is sanctioned by a government that is not well known for respecting user privacy or taking a strong stand against cybercriminals.\u201dPractically, if you can\u2019t trust the CA, then you can\u2019t trust that they won\u2019t authorize certificates that could be used in a MitM attack, Parkin continues. \u201cWhile a careful user might notice that the certificate they\u2019re connecting to isn\u2019t their ultimate goal, similar to what they would see going through a web gateway that performs deep packet inspection, the browser would see the signed certificate as legitimate and not throw a warning. This could allow for widespread surveillance, as well as other malicious uses.\u201dOutpost24 CSO Martin Jartelius agrees, adding that if a browser trusts the authority, the one controlling it can abuse certificates for the purpose of plaintext interception of traffic. \u201cOf course, abusing trust this way would lead to a revocation of trust of the authority, but it will work for select purposes, if one is willing to sacrifice the trust for it.\u201dYuval Wollman, president of CyberProof and ex-director-general of the Israeli Intelligence Ministry, tells CSO: \u201cIf you want to minimize the risk, keep your employees away from any Russian-issued TLS certificates because their legitimacy is questionable, and control over them is unclear. Block access to sites using Russian-issued TLS certificates at the infrastructure level using a blacklist, until the situation develops further and can be reassessed.\u201dThreat actors prepare for Russian \u201csovereign internet\u201dRussia\u2019s actions have prompted observers and Russian-speaking threat actors to speculate that the nation\u2019s total disconnection from the global internet is imminent, according to a Flashpoint blog post. \u201cThis would happen under a 2019 Law on Sovereign Internet. According to Russia\u2019s legislation, disconnecting Russian internet infrastructure from the global internet would be a defensive move, although this leaves a wide room for interpretation,\u201d it read.Flashpoint suggests this could make websites from outside Russia unreachable for Russian users, create service degradation, and defeat evasion methods such as VPNs. Russian-speaking threat actors are therefore actively looking for solutions to bypass increasing state control over online traffic if authorities try to disconnect Russia altogether, Flashpoint added. Flashpoint analysts observed threat actors suggesting several workarounds of existing and potential future blocks on various forums, including:A content bot on the SliVap forum offered a software using anti-DPI technology, which would allegedly allow users to bypass existing blocks by not leaving digital fingerprints typical of VPN, Tor and proxy services that DPI technology relies on to block the use of such evasion techniques.A VPN service advertised on the YouHack forum claims to be able to bypass DPI technology and prevent ISPs from logging DNS queries.Users of the top-tier Exploit forum suggested using a Telegram bot that provides Tor bridges (relays that are not listed in the public Tor directory and are thus theoretically not blocked). Earlier, users suggested using a VPN-Tor-VPN combination to bypass blocks.