A protester holds a placard reading “Putin – No!” during an opposition rally in central Moscow, on March 10, 2019, to demand internet freedom in Russia. With internet and cybersecurity companies exiting the company, the web could be about to get far less open and secure in Russia than it was before the Ukraine invasion. (Photo by ALEXANDER NEMENOV/AFP via Getty Images)
AFP via Getty Images
Ordinary Russians face another major blow to their everyday lives due to the backlash to President Vladimir Putin’s invasion of Ukraine. On the same day, two major web-security companies have decided to quit selling to them, making Russians’ internet use more vulnerable to Kremlin snooping, hacking and other cybercrimes.
The departure of the two companies, Avast, a $6 billion antivirus provider based in the Czech Republic, and Utah-based website-certification firm DigiCert, will further isolate the country of 145 million people.
“We are horrified at Russia’s aggression against Ukraine, where the lives and livelihoods of innocent people are at severe risk, and where all freedoms have come under attack,” Avast CEO Ondrej Vlcek wrote on Thursday.
Vlcek said the company was including Belarus in the withdrawal of services, and was continuing to pay the full salaries of employees in Russia and Ukraine, many of whom it was helping to relocate.
“We do not take this decision lightly,” Vlcek wrote. “We’ve offered our products in Russia for nearly 20 years and users in this country are an important part of our global community.”
While Avast joins other antivirus companies, including NortonLifeLock and ESET, in halting sales, Russians will still be able to get antivirus protection from Moscow-based Kaspersky and other providers within the country. The departure of DigiCert could prove more significant.
DigiCert is one of the world’s biggest providers of website certificates, which aim to prove that when a person visits a site it’s owned by the entity they expected. If a website loses that certificate, it’s possible for hackers or a government to intercept a person’s attempt to reach a given site and replace it with their own webpage. That could then be used to launch spyware on the individual or trick them into entering their username and password, which could then be stolen and offered for sale, or used by the perpetrator. It could also be used to spy on what users are doing on a given website.
In Russia, where fears of cybercrime and repressive surveillance are rife, the ramifications of DigiCert’s withdrawal could be huge. That Russia is reportedly working on creating its own digital signature entity won’t allay concerns over surveillance, given it’ll be under the control of the Kremlin.
“This really worries me,” says Alan Woodward, a cryptography expert at the University of Surrey. “What it means is you can conduct man-in-the-middle attacks to listen in.”
DigiCert has yet to comment on the withdrawal, but two Ukrainian government departments, including its State Service of Special Communications and Information Protection of Ukraine, announced DigiCert was to pause “issuance and reissuance of all certificate types affiliated with Russia and Belarus.”
Mykhailo Fedorov, deputy prime minister and head of Ukraine’s digital transformation department, celebrated the announcement Friday morning. “The occupier is rapidly losing all tools and technologies of the 21st Century,” he said. “Refusal to issue international certificates will mean a loss of confidence in Russian resources in the world.”
DigiCert’s departure is also another signpost pointing to Russia’s increasing pariah status in the digital world. In recent weeks, internet backbone providers and major cloud suppliers like Amazon, Google and Microsoft have pulled out of selling to the country. If Russia continues its assault on Ukraine, it’s possible its internet could eventually resemble North Korea’s, where the government controls all the websites that users can still visit.
Follow me on Twitter. Check out my website. Send me a secure tip.