Information security during war Consequences of the Ukraine war for internet use
As a contribution to a research paper by Censored Planet, Alexandra Dirksen from Technische Universität Braunschweig investigated the consequences of the war in Ukraine on internet and information security. The first findings have appeared in a paper published at the Usenix Security Symposium 2023, a major international IT security conference, and presented in Anaheim, California, USA.
Russia’s invasion of Ukraine in February 2022 led to various political and economic sanctions. These also had an impact on communication on the internet, inside and outside the country. Various measures were used: for example, censorship by means of (DNS-, TCP- and HTTP-based) geo-blocking (regional blocking of internet content), changes to BGP routing (the Border Gateway Protocol manages the forwarding of data packets from network to network) or the use of a state-controlled certification authority for digital certificates to prove the authenticity of a website.
All these measures restrict freedom of movement within the internet and allow the Russian government to influence the digital flow of information within its national borders.
This paper documents the results of various measurements at the beginning of the war of aggression in several samples (between February and May 2022). Thus, it was tested both inside and outside Russia whether websites are accessible, and if not—why. The researchers also recorded which Russian domains (.ru) have already been switched to the new certificate, and to what extent data routes have changed when websites are accessed.
Russian certification authority
As a result of the economic sanctions imposed by the West, Western certificate authorities (CAs), which are the cornerstone of internet encryption, were temporarily unable to issue certificates to operators of Russian domains. Because of this, and in order to become independent of the West in the long term, Russia introduced its own state-controlled certification authority, the Russias Trusted Certificate Authority (RTCA). In her contribution to the paper, Alexandra Dirksen from Technische Universität Braunschweig deals specifically with the effects of the use of this new certification authority on the internet.
About certification authorities: When a user calls up the domain of a website (e.g. https://www.tu-braunschweig.de), the browser receives a certificate that ensures that the communication is encrypted and thus cannot be intercepted by third parties. These certificates are issued by independent certification authorities that the browser trusts. In order to circumvent this encryption, the attacker would have to, for example, gain control over such a certification authority. However, such attacks are very difficult to carry out. If the responsibility of a certification authority lies in the hands of a state-controlled organisation, however, there is a danger that authorities, for example, could “eavesdrop” on data traffic.
The RTCA published a long list of domains for which it has created such certificates. Among them are some important websites, for example of banks or government institutions. “The measurements showed that most of these Russian certificates were not (yet) in use at the time. The domains continued to use certificates from the CAs we know, e.g. Let’s Encrypt. The few websites that did use it, however, were only securely accessible at home and abroad via the Russian browsers Yandex and Atom. Within Russia, however, Yandex had a penetration of around 11 percent to date (now around 19 percent),” says Alexandra Dirksen. Market-dominating browsers (Chrome, Firefox, Safari) do not trust the RTCA and are therefore not supported.
Consequences for the internet community
“From a technical point of view, there are no reasons to boycott the RTCA on the global internet, for example, by continuing to distrust it in popular browsers,” says Dirksen. However, the Russian government’s actions are a clear violation of the Universal Declaration of Human Rights (Article 19, Freedom of Expression and Information), she adds. “We, as a global internet community, must nevertheless ask ourselves questions: Which of these measures can be interpreted in terms of ‘digital independence’? At what point is the protection of privacy at risk? And how and at what point should the ‘stakeholders’ of the internet act?”
Currently, only users of the websites mentioned, whose number is still relatively small, are affected by restrictions. “Our measurements are now over a year old. In a follow-up project, we are investigating what has changed since then and putting more focus on the progress of RuNets, the sovereign Russian internet that the Russian government decided to implement in 2019.”
This work was done in collaboration with CensoredPlanet at the University of Michigan, USA, with whom Alexandra Dirksen is working on a follow-up project as part of an OTF grant.