Runet will receive encryption from the center – Newspaper Kommersant No. 222 (7423) dated 11/30/2022

The government proposes to oblige developers of browsers and operating systems to maintain state encryption certificates to which the sites of companies subject to sanctions have been transferred. This includes certificates using Russian algorithms. Now they are not supported either in software from Microsoft, Apple and Google, or in Yandex and VK browsers. So far, fines and other sanctions for violations are not provided, but experts allow their introduction. If Russian cryptography becomes totally mandatory, market participants specify, the circulation of e-mail may be disrupted.

“Kommersant” got acquainted with the draft amendments to the Federal Law “On Information”, submitted by the government to the State Duma on November 28. The document, in particular, describes the work of the National Certification Center (NCC) of the Ministry of Digital Development, which issues certificates for establishing an encrypted connection between sites and users. The project provides that the NCA will issue certificates, including those based on Russian cryptographic algorithms in accordance with GOST. The government proposes to oblige all those who develop or modify browsers and operating systems in the Russian Federation to include support for such certificates in their products.

Punishment for non-compliance with the requirement is not provided, clarified “Kommersant” in the Ministry of Digital Development: “We rely on the good faith of the developers, since this will provide unhindered and secure access to Russian sites.” The FSB and FSTEC (they must prepare by-laws for the document) did not respond to Kommersant’s requests.

The NCA began issuing its own certificates for encrypted connection to websites (HTTPS) in March, after foreign centers began to revoke them from sanctioned Russian organizations. At that time, Russian cryptography in accordance with GOST was not used in certificates, but now it is becoming mandatory. OS and browsers from Microsoft, Google and Apple are delivered without the NCA root certificate, and when you try to open sites that have switched to a national certificate (for example, Sberbank), a secure connection is not established in them. Such sites are opened via HTTPS only from Russian browsers that include the NCA root certificate (Yandex Browser and Atom from VK) or if the user installs it on the device himself.

Yandex clarified to Kommersant that, despite the presence of the NCA root certificate, access to sites with GOST encryption is available only when installing the third-party CryptoPro component. It is not planned to add built-in support to Yandex Browser. The same is said in VK.

Now OS and browser developers in Russia — even those whose products are included in the register of domestic software — are not required to support Russian cryptography, says Ivan Begtin, director of the Information Culture NGO: “Such a requirement was made for some state information systems, such as GIS ” Electronic budget. But it was often ignored as remote connections were established through certified VPNs.” He noted that the draft law introduces the very concept of the NCA as one of the GIS, but it does not require a legal framework for its operation.

Russian cryptography, most likely, “will be used by order on the websites of government agencies and state-owned enterprises,” while the rest of the organizations will ignore it, the head of the information and analytical service of the OD “Information for All” Yevgeny Altovsky believes. The draft amendments, he added, do not take into account the fact that encryption is also used in e-mail exchange: “If these certificates are also changed, then mail exchange with foreign countries will become impossible – no one will implement support for Gost algorithms in foreign mail servers.”

According to Sargis Darbinyan, managing partner of the DRC law firm, the new rules will affect both Russian and foreign developers who provide services in the Russian Federation or support software in the country, but so far do not really imply liability for violations. The expert believes that the next step could be blocking sites or fines for developers for abandoning Russian cryptography.

Yuri Litvinenko