I’ve read about the issues with certificate authorities such as DigiNotar, and I’m trying to persuade some senior leaders to understand how the legitimacy of certificates affects our security involving everything from Web browsing to VPNs. Is there a simple way to explain the role certificates and CAs play?
Business has flourished on the Internet because of the ability to perform secure transactions; you can verify who you are dealing with and communications between the counterparties are encrypted. This is made possible by using public key encryption and digital certificates. Secure Sockets Layer (SSL) uses public key encryption to encrypt all data between a user’s computer and a website. Information sent to the site is encrypted using the Web server's public encryption key and the server uses its private key to decrypt it. This is called a key pair.
As anyone can create a website and key pair, a mechanism is needed that assures visitors to a site that its public key truly belongs to its owner. This is where digital certificates and Certification Authorities (CA) come in. The primary role of a CA is to be an independent and mutually trusted third party that checks the credentials of an organization to ensure it actually operates a site. The CA creates a digital certificate that contains information such as the organization’s name, location, serial number, public key, expiration date and issuing CA. It binds the site’s public key to the organization’s website address by digitally signing the certificate using its own private key. When a Web browser makes a secure connection to the site, its digital certificate is automatically checked for anomalies or problems, and alerts the user if any are found. If everything is in order, the browser completes the secure connection. In most cases, this process happens entirely behind the scenes between a Web browser and a website, so Web users are unaware of it unless there's a problem with the digital certificate. In those cases, a Web user will typically receive a warning message in his or her browser window about a potential security problem with the website they're trying to visit and advising the user not to continue.
As you can see, a certificate provides assurance to a browser that a website is legitimate, but confidence in the organization’s website and certificate relies on trusting the validity of the CA's key. According to research from the Electronic Frontier Foundation, at least four of the more than 600 certificate authorities have been compromised since June 2011. More than 500 bogus certificates are thought to have been issued for a range of sites including Google and the CIA using the certificate authority DigiNotar’s key. With a forged certificate, a hacker can easily deceive a visitor into believing they are on the official site of Google or the CIA. The padlock would show in the address bar and a valid certificate would appear if checked, giving the user no indication the website were anything but secure and legitimate. Mobile phone users are at even greater risk as the smaller screen size makes it more difficult to notice anything unusual about a site they visit and it is almost impossible to remove digital certificates from a mobile phone. Until the certificate is revoked and their certificate list is updated by the vendor, it is a big problem that threatens Web security across the entire Internet.
Read expert Michael Cobb's answer to a follow-up question about the role certificates and CAs play.
This raises questions as to the longevity of the CA model as it exists today. To protect users against the risk of fraudulent DigiNotar SSL certificates, all major browsers have implemented changes so they no longer trust the DigiNotar SSL certificate authority and any website that was secured using a DigiNotar certificate is now suspect. In the online world, a loss of trust is a loss of business, and, unfortunately, there appear to be no easy answers to this problem on the horizon.
This was first published in January 2012