Root Causes 07: Russian Disconnection from the Internet
Russia has stated that it will disconnect from the internet as a trial exercise for full-blown cyber warfare. This idea presents many problems for Russian services, systems, and businesses, especially since they depend on global systems such as DNS and public Certificate Authorities. Join us to learn some of the problems Russia will face if indeed it disconnects.
- Original Broadcast Date: February 19, 2019
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
Today, I get to pick the topic, and I have picked Russia. Russia has stated that they are going to “unplug” from the internet for some period of time. I did a bit of research. The period of time isn’t entirely clear to me but I guess it’s substantial enough to prove the concept of disconnecting internet traffic inside of Russia from the rest of the world in order to prepare for a state of full-on cyber war.
-
Jason Soroko
So, this a temporary disconnection, Tim?
-
Tim Callan
That’s my understanding from the headlines. It’s really vague but the gist of it is it looks like what they’re going to somehow decouple stuff that happens inside Russia from stuff that happens outside Russia for a long enough of period of time that everybody can understand how all of this is going to work. I guess they can prove their concept and then reconnect it again. Think of it as a fire drill or a trial run for a date in the future when Russia decides that there’s some kind of full blown cyber war going on and they need to be independent of the rest of the internet.
-
Jason Soroko
So that means if you’re a citizen in Moscow during this period of time, you’re not looking at your Facebook account?
-
Tim Callan
Presumably. Presumably your Facebook and Twitter are gone. If you happen to have a Bank of America bank account you will not be able to access that. And I can see that. I can see saying, “Ok, we’re going to say that citizens don’t get access to Twitter. We don’t really care.” But this strikes me as deeply problematic in much more basic ways. In terms of things like domain registry or certificates, all these systems depend on parties that are outside national boundaries, and I'm unconvinced this kind of thing is actually workable.
-
Jason Soroko
Especially because of the fact that they’ve installed a whole lot of trust mechanisms, certificate-based trust mechanisms that are centralized outside of Russia.
-
Tim Callan
Right.
-
Jason Soroko
Yeah. Challenging.
-
Tim Callan
This is my hypothetical, an extreme hypothetical, but if three or four CAs revoked every certificate they had for every Russian bank, I think the Russian electronic economy would just kind of stop.
-
Jason Soroko
This would be an act of war, obviously, where the commercial CAs perhaps were compelled by western governments to do some of this. This is the kind of scenario we’re looking at.
-
Tim Callan
Sure, but let’s set that aside. So for some period of time there is a parallel internet and the two are not allowed to talk. What happens with certificate revocation? What if there is a bad actor who is sitting there waiting for the day, waiting for the second that they’re going to disconnect because they have their activities that they plan on and they know that they will be immune to certain responses that would shut them down? They know that nobody will be able to take back a DNS address or nobody will be able to revoke a certificate for the duration of this, we’ll call it an outage. That’s a real exploit that somebody could really do.
-
Jason Soroko
I guess obviously there’s all kinds of use cases that we’d have to consider, but doing something as simple as: You’re a citizen in Moscow. You’re looking at a website even within Moscow, the checking of that SSL certificate that perhaps was provisioned onto the web server would’ve been revoked, and therefore then what does the browsing experience look like?
That might be the simplest use case. Could be quite difficult there.
-
Tim Callan
The OCSP servers are not in Russia, so OCSP checking is not happening. What about renewal? What happens when my certificate expires during that downtime period and I can’t renew it? What happens if I'm trying to get a certificate and I'm in the midst of the process? I'm in the midst of authentication, and it becomes broken, and I can’t authenticate my DNS?
-
Jason Soroko
There’s just so much where the key material originates from somewhere else and is validated somewhere else outside of Russia.
-
Tim Callan
Yeah. It just feels to me like the collateral damage is really high.
-
Jason Soroko
So theoretically then Tim, do the Russians feel confident that they have a solution to this or are they considering some grand re-engineering effort that could take years, and are they willing to bite the bullet to get to that point during a potential shutdown?
-
Tim Callan
Right. Again you can imagine—and the headlines seem to suggest—that the this is kind of a nuclear option, right? That we need to be prepared for the ultimate worst case, and in the ultimate worst case there will be a certain amount of collateral damage, and we’re willing to live with it.
But what’s interesting is if the reports are correct, they’re going to go ahead and live with it with a little bit now. Right? It would be like saying, “Look we’re prepared for the nuclear option and yeah, we’ll go ahead and nuke a few of our citizens today just to see what it’s like.”
-
Jason Soroko
Yeah. And I'm sure the results of that, the way that it will be portrayed outside of Russia, will be a little bit different than what it would actually look like in reality. It is perhaps also a bit of marketing by Russia to say, “Look we could do this ,and we’re willing to do this.”
You know if you were to try to pull that off in a western country, you know it might result in a little bit of flak, let’s say.
-
Tim Callan
Absolutely. It would be hard to imagine getting away with that in a European or a North American country. You’d think that that would be a non-starter in terms of the collateral damage and the harm it would do to various individuals. Like, I think about domain names that are up for renewal. If a domain name expires during that time period, domain squatters can go get those. Now inside of Russia, it’s still resolving to your site. But outside of Russia it’s resolving to the domain squatter.
This is assuming you’re not on a .ru. Let’s say you’re on .com/.net or one of the common TLD’s. So then after they reunite, it’s going to the main TLD, right? It’s going to go back to what Verisign says, at which point the domain squatter now owns it and people in Russia start resolving to the domain squatter. That’s it. You didn’t renew your domain. You don’t get to go get it back.
-
Jason Soroko
One of the things that always interested me over the past few years was watching the way that Russian ISP’s have a very different set of rules and therefore it is a very different kind of internet for Russians anyway. Especially nefarious Russians, of which there might be a few.
In other words, if you and I, Tim, were to call up our local ISP and say, “Hey I’d like to hire your internet services. Would you mind giving me a different IP address 100 times per second?”
-
Tim Callan
“Don’t worry about why.”
-
Jason Soroko
Yeah. “Don’t ask any questions, but that’s what’s I need.” In Russia that happens every day. In North America, they’ll probably call the police on you. It’s a different world.
-
Tim Callan
It’ll be interesting to see if it really happens. I think you brought up a good point which is there’s a difference between saying you’re going to do this and actually doing it, and it may be that saying you’re going to do this accomplishes their goals. If it really goes on there are going to be consequences, and there are going to be people in Russia who are hurt by those consequences.
-
Jason Soroko
Yes, even if it was very brief. Russia has a lot of people. And a lot of them are our audience.
It’s incredible how connected a lot of people’s lives are. Don’t forget there’s also a lot of very legitimate commercial activity in Russia that will be affected.
-
Tim Callan
You bet. There are lots of tech savvy business people who just want to be business people and want to be part of the global economy, and this is a kick in the teeth to those people if this really happens.
-
Jason Soroko
It’s a very fascinating subject, Russia wanting to always exert itself and exert its powers. This is one way of doing it.
-
Tim Callan
We will continue to follow this story, and in the event that they actually do disconnect, we’ll come back and talk about it and what we think and what happened. But in the meantime, I just can’t wait to see what goes on. I'm just fascinated and baffled and just dying to see how it all plays out.
-
Jason Soroko
As you always say at the top of the podcast, you know it’s a couple PKI guys watching the world and both of us look at this subject and just shake our heads like, “Hey does anybody know how the internet actually works?“
-
Tim Callan
It’s a, “Who woulda thunk it?” moment. You know I always say that governments don’t recognize that the internet is bigger than they are, and this seems to be an example of that.
But at the same time I know that Russia has an awful lot of very smart computer scientists. A lot of them are much smarter than I am, and surely somebody asked these questions. So, unless it’s just posturing, it feels like they think that this is viable.
-
Jason Soroko
Well, during the Australia podcast, we considered the fact that a very smart western government felt that it was above the laws of physics.
-
Tim Callan
Right.
-
Jason Soroko
But you know, it may still take some time for them to find out otherwise. It may be the same case in Russia right now.
-
Tim Callan
That could be what’s happening right now here. You know whenever governments try to be bigger than the internet, it has never worked out, but maybe this one will be different. It’s really going to be interesting.
-
Jason Soroko
It’s something to keep an eye on.