HTTPS interception—or “HTTPS eavesdropping”—is a surveillance method in which a malicious actor obtains a rogue certificate from a Certificate Authority (CA), circumventing traditional protection mechanisms for internet communications. The rogue certificate can be used to intercept a user’s encrypted communication without their knowledge. In Russia, HTTPS interception has become more prevalent since the government released its own root certificate authority in March 2022, granting the domestic Russian Trusted Certificate Authority (RTCA) the ability to inspect the traffic of users communicating with domains with RTCA-issued certificates.
Information Controls Fellowship Program (ICFP) Fellow Alexandra Dirksen examined how Russia’s efforts to gain control of the network infrastructure within its borders creates the conditions that facilitate HTTPS interception. The research focused on Russia’s deployment of the RTCA as a key component enabling this type of man-in-the-middle attack.
In order to detect HTTPS interception, Dirksen collected handshake data—the data needed to establish an HTTPS connection—through a crawling procedure using a vantage point in Russia and one in Germany, as well as Yandex and Google Chrome browsers, respectively. The anomalies across geolocation and domain suggest that the RTCA’s acceptance by the Russian browser Yandex, coupled with other coordinated actions that the Russian state has taken to control its digital infrastructure, enables mass state surveillance through the interception of encrypted traffic—all while maintaining an appearance of secure connection to the user. Her report outlines the implications for internet users, and calls for expanded global monitoring and tools to detect such attacks.
Key Findings:
- HTTPS interception is a realistic attack scenario in Russia, given the state’s resources, its political objectives of controlling their digital infrastructure, and the digital infrastructure already within the state’s reach—namely the state-controlled Yandex browser, a domestic Certificate Authority (RTCA), and the sub-network within their borders.
- Russia’s investment in creating the conditions for mass state surveillance through HTTPS interception is a prime example of how governments may abuse their power to conduct mass surveillance in the digital space within their borders.
- The handshake data (needed to establish an HTTPS connection) collected reveals anomalies across geolocation and domain without a meaningful technical explanation, which could be further analyzed for signs of HTTPS interception.
- Yandex’s acceptance of the RTCA certificate could indicate a deliberate strategy to facilitate HTTPS interception. Replacing a non-RTCA-issued certificate with an RTCA-issued one in Chrome indicates that specific requests within Russia’s internet infrastructure may be routed through intermediaries capable of substituting certificates; it may also indicate a centralized interception point at the ISP or national gateway level.
- While focused on the Russian case, this research is highly relevant to multiple state contexts given the increasing prevalence of state-controlled certificate authorities globally.
Read the full report
Open Technology Fund (OTF)’s Information Controls Fellowship Program supports examination into how governments in countries, regions, or areas of OTF’s core focus are restricting the free flow of information, impeding access to the open internet, and implementing censorship mechanisms, thereby threatening the ability of global citizens to exercise basic human rights and democracy. The program supports fellows to work within host organizations that are established centers of expertise by offering competitively paid fellowships for three, six, nine, or twelve months in duration.