Big web security firms are abandoning Russia, leaving netizens open to more Kremlin spying

Ordinary Russians are facing another blow to their daily lives due to the backlash from President Vladimir Putin’s invasion of Ukraine. On the same day, two major web security companies decided to stop selling to them, making Russian internet use more vulnerable to spying, hacking and other Kremlin cybercrimes.

The departure of the two companies, Avast, a $6 billion antivirus vendor based in the Czech Republic, and Utah-based website certification firm DigiCert, will further isolate the country of 145 million people.

“We are horrified by Russia’s aggression against Ukraine, where the lives and livelihoods of innocent people are under grave threat and all freedoms are under threat,” Avast CEO Ondrej Vlcek wrote Thursday. .

Vlcek said the company included Belarus in the withdrawal of services and continued to pay full salaries to employees in Russia and Ukraine, many of whom were helping relocate.

“We do not take this decision lightly,” Vlcek wrote. “We have been offering our products in Russia for almost 20 years and users from this country are an important part of our global community.

While Avast joins other antivirus vendors, including NortonLifeLock and ESET, by halting sales, Russians will still be able to get virus protection from Moscow-based Kaspersky and other vendors in the country. The departure of DigiCert could turn out to be more significant.

DigiCert is one of the world’s largest providers of website certificates, which aim to prove that when someone visits a site, it belongs to the entity they expected. If a website loses this certificate, it is possible for hackers or a government to intercept someone’s attempt to access a given site and replace it with their own web page. This could then be used to launch spyware at the individual or trick them into entering their username and password, which could then be stolen and offered for sale, or used by the perpetrator. It could also be used to spy on what users are doing on a given website.

In Russia, where fears of cybercrime and law enforcement surveillance are rife, the ramifications of DigiCert’s withdrawal could be enormous. that Russia is would have working to create its own digital signature entity will not dispel concerns about surveillance, given that it will be under Kremlin control.

“It really worries me,” says Alan Woodward, a cryptography expert at the University of Surrey. “What this means is that you can conduct man-in-the-middle attacks to eavesdrop.”

DigiCert has not yet commented on the withdrawal, but two Ukrainian government departments, including its State Service for Special Communications and Information Protection of Ukraine, announcement DigiCert was to suspend “the issuance and re-issuance of all types of certificates affiliated with Russia and Belarus.”

Mykhailo Fedorov, Deputy Prime Minister and Head of Ukraine’s Digital Transformation Department, celebrated the announcement on Friday morning. “The occupier is rapidly losing all the tools and technologies of the 21st century,” he said. “The refusal to issue international certificates will mean a loss of confidence in Russian resources in the world.”

DigiCert’s departure is also another sign of Russia’s growing pariah status in the digital world. In recent weeks, internet backbone providers and major cloud providers like Amazon, Google and Microsoft have stopped selling domestically. If Russia continues its assault on Ukraine, its internet may resemble that of North Korea, where the government controls all the websites users can still visit.