Chat With Us
We are here for you!
Talk to a fellow human.
The Root Causes podcast explores the important issues behind today’s world of PKI, online trust, and digital certificates. Early in 2019 the Kremlin announced plans to temporarily disconnect all Russian traffic from the internet as a proof of concept for a potential future cyber war. At the time our hosts Jason Soroko (CTO of PKI, Sectigo) and Tim Callan (Senior Fellow, Sectigo) discussed what a Russian disconnection from the internet might mean and the pitfalls associated with it. With recent announcements from the Russian government that this trial run is complete, now is a good time to revisit that discussion.
(Lightly edited for flow and brevity, this podcast originally appeared February 26, 2019.)
Tim: Today, I get to pick the topic, and I have picked Russia. Russia has stated that they are going to “unplug” from the internet for some period of time. I did a bit of research. The period of time isn’t entirely clear to me but I guess it’s substantial enough to prove the concept of disconnecting internet traffic inside of Russia from the rest of the world in order to prepare for a state of full-on cyber war.
Jason: So, this a temporary disconnection, Tim?
Tim: That’s my understanding from the headlines. It’s really vague but the gist of it is it looks like what they’re going to somehow decouple stuff that happens inside Russia from stuff that happens outside Russia for a long enough of period of time that everybody can understand how all of this is going to work. I guess they can prove their concept and then reconnect it again. Think of it as a fire drill or a trial run for a date in the future when Russia decides that there’s some kind of full blown cyber war going on and they need to be independent of the rest of the internet.
Jason: So that means if you’re a citizen in Moscow during this period of time, you’re not looking at your Facebook account?
Tim: Presumably. Presumably your Facebook and Twitter are gone. If you happen to have a Bank of America bank account you will not be able to access that. And I can see that. I can see saying, “Ok, we’re going to say that citizens don’t get access to Twitter. We don’t really care.” But this strikes me as deeply problematic in much more basic ways. In terms of things like domain registry or certificates, all these systems depend on parties that are outside national boundaries, and I'm unconvinced this kind of thing is actually workable.
Jason: Especially because of the fact that they’ve installed a whole lot of trust mechanisms, certificate-based trust mechanisms that are centralized outside of Russia.
Jason: Yeah. Challenging.
Tim: This is my hypothetical, an extreme hypothetical, but if three or four CAs revoked every certificate they had for every Russian bank, I think the Russian electronic economy would just kind of stop.
Jason: This would be an act of war, obviously, where the commercial CAs perhaps were compelled by western governments to do some of this. This is the kind of scenario we’re looking at.
Tim: Sure, but let’s set that aside. So for some period of time there is a parallel internet and the two are not allowed to talk. What happens with certificate revocation? What if there is a bad actor who is sitting there waiting for the day, waiting for the second that they’re going to disconnect because they have their activities that they plan on and they know that they will be immune to certain responses that would shut them down? They know that nobody will be able to take back a DNS address or nobody will be able to revoke a certificate for the duration of this, we’ll call it an outage. That’s a real exploit that somebody could really do.
Jason: I guess obviously there’s all kinds of use cases that we’d have to consider, but doing something as simple as: You’re a citizen in Moscow. You’re looking at a website even within Moscow, the checking of that SSL certificate that perhaps was provisioned onto the web server would’ve been revoked, and therefore then what does the browsing experience look like?
That might be the simplest use case. Could be quite difficult there.
Tim: The OCSP servers are not in Russia, so OCSP checking is not happening. What about renewal? What happens when my certificate expires during that downtime period and I can’t renew it? What happens if I'm trying to get a certificate and I'm in the midst of the process? I'm in the midst of authentication, and it becomes broken, and I can’t authenticate my DNS?
Jason: There’s just so much where the key material originates from somewhere else and is validated somewhere else outside of Russia.
Tim: Yeah. It just feels to me like the collateral damage is really high.
Jason: So theoretically then Tim, do the Russians feel confident that they have a solution to this or are they considering some grand re-engineering effort that could take years, and are they willing to bite the bullet to get to that point during a potential shutdown?
Tim: Right. Again you can imagine—and the headlines seem to suggest—that the this is kind of a nuclear option, right? That we need to be prepared for the ultimate worst case, and in the ultimate worst case there will be a certain amount of collateral damage, and we’re willing to live with it.
But what’s interesting is if the reports are correct, they’re going to go ahead and live with it with a little bit now. Right? It would be like saying, “Look we’re prepared for the nuclear option and yeah, we’ll go ahead and nuke a few of our citizens today just to see what it’s like.”
Jason: Yeah. And I'm sure the results of that, the way that it will be portrayed outside of Russia, will be a little bit different than what it would actually look like in reality. It is perhaps also a bit of marketing by Russia to say, “Look we could do this ,and we’re willing to do this.”
You know if you were to try to pull that off in a western country, you know it might result in a little bit of flak, let’s say.
Tim: Absolutely. It would be hard to imagine getting away with that in a European or a North American country. You’d think that that would be a non-starter in terms of the collateral damage and the harm it would do to various individuals. Like, I think about domain names that are up for renewal. If a domain name expires during that time period, domain squatters can go get those. Now inside of Russia, it’s still resolving to your site. But outside of Russia it’s resolving to the domain squatter.
This is assuming you’re not on a .ru. Let’s say you’re on .com/.net or one of the common TLD’s. So then after they reunite, it’s going to the main TLD, right? It’s going to go back to what Verisign says, at which point the domain squatter now owns it and people in Russia start resolving to the domain squatter. That’s it. You didn’t renew your domain. You don’t get to go get it back.
Jason: One of the things that always interested me over the past few years was watching the way that Russian ISP’s have a very different set of rules and therefore it is a very different kind of internet for Russians anyway. Especially nefarious Russians, of which there might be a few.
In other words, if you and I, Tim, were to call up our local ISP and say, “Hey I’d like to hire your internet services. Would you mind giving me a different IP address 100 times per second?”
Tim: “Don’t worry about why.”
Jason: Yeah. “Don’t ask any questions, but that’s what’s I need.” In Russia that happens every day. In North America, they’ll probably call the police on you. It’s a different world.
Tim: It’ll be interesting to see if it really happens. I think you brought up a good point which is there’s a difference between saying you’re going to do this and actually doing it, and it may be that saying you’re going to do this accomplishes their goals. If it really goes on there are going to be consequences, and there are going to be people in Russia who are hurt by those consequences.
Jason: Yes, even if it was very brief. Russia has a lot of people. And a lot of them are our audience.
It’s incredible how connected a lot of people’s lives are. Don’t forget there’s also a lot of very legitimate commercial activity in Russia that will be affected.
Tim: You bet. There are lots of tech savvy business people who just want to be business people and want to be part of the global economy, and this is a kick in the teeth to those people if this really happens.
Jason: It’s a very fascinating subject, Russia wanting to always exert itself and exert its powers. This is one way of doing it.
Tim: We will continue to follow this story, and in the event that they actually do disconnect, we’ll come back and talk about it and what we think and what happened. But in the meantime, I just can’t wait to see what goes on. I'm just fascinated and baffled and just dying to see how it all plays out.
Jason: As you always say at the top of the podcast, you know it’s a couple PKI guys watching the world and both of us look at this subject and just shake our heads like, “Hey does anybody know how the internet actually works?“
Tim: It’s a, “Who woulda thunk it?” moment. You know I always say that governments don’t recognize that the internet is bigger than they are, and this seems to be an example of that.
But at the same time I know that Russia has an awful lot of very smart computer scientists. A lot of them are much smarter than I am, and surely somebody asked these questions. So, unless it’s just posturing, it feels like they think that this is viable.
Jason: Well, during the Australia podcast, we considered the fact that a very smart western government felt that it was above the laws of physics.
Jason: But you know, it may still take some time for them to find out otherwise. It may be the same case in Russia right now.
Tim: That could be what’s happening right now here. You know whenever governments try to be bigger than the internet, it has never worked out, but maybe this one will be different. It’s really going to be interesting.
Jason: It’s something to keep an eye on.