Every few weeks, I encounter a site or server security “warning.” You've probably come across one or more of these in your work with secure web sites, secure mail servers, and other security apps. What you may not know is that the entire concept of security certificates is very badly implemented. Security certificates are supposedly issued by trusted “security authorities.” But, what do you actually know about these authorities? If your web browser automatically trusts every security certificate it is presented with, are you actually secure?
For example, earlier today, I learned from my e-mail client that the server for one of my e-mail clients has updated its security certificate. Because the people I work with are technically adept, and in several cases technically superlative in ways that language doesn't justly describe, they tend to know all about the weaknesses in the security certificate architecture, disregard them, and issue their own certificates (also known as “certs”). So, my e-mail client presented this disturbing information:
You are about to override how Icedove identifies this site.
Legitimate banks, stores, and other public sites will not ask you to do this.
This site attempts to identify itself with invalid information.
Certificate is not trusted, because it hasn't been verified by a recognized authority using a secure signature.
You can see where I was unable to stop laughing. Legitimate banks?! What on Earth could that mean? A bank is a group of thieves who have a licence from a government to engage in theft on a wholesale, and sometimes also on a retail basis. Unless it is the bank of a river, there is no such thing as a legitimate bank.
You may not be aware of it, but your web browser is probably lying to you. You see, your browser takes you to “secure” sites which have a signed security certificate. But, signed by whom? Why, signed by a trusted authority. So, when your browser displays that little padlock, and shows you the web address with a preceding https, does that mean that you are actually secure?
No, it means nothing of the sort. What it means is, your web browser trusts a signed certificate because it was signed by some supposed authority. So the site you visit is on a server which has a signed security certificate. If you don't know who wrote the site, and you don't know who wrote your browser software, and if your browser software isn't open source, and if you don't know who signed the security certificate, how do you know your private information is actually secure?
You don't. And that may be a really big problem, because trusting a signed certificate, trusting a web site operator, with your credit card numbers, bank account information, or identification details like your date of birth may be a financial problem for you. You may end up seeing your credit card used by a scammer, your identity stolen, your bank account emptied.
These situations might be both costly and time consuming. Even if you don't provide them with funds, web sites that collect your birth date and health information, such as those operated by your doctor or your health insurance provider, may not be secure.
What is wrong with the model currently used to “secure” web pages and apps? The basic problem was stated hundreds of years ago by William of Ockham. John Punch, in the 1600s, said “Don't multiply entities unnecessarily.” So, if you don't know someone, why should you trust a piece of plastic with their name, date of birth, photograph, and other information, provided to you by a government agency? You don't know any of the people at that government agency, do you? You have no idea who they are, nor why they issued this particular identity document.
Similarly, if you don't trust the web site you visit, why should you trust the certificate signed by a certificate authority? How have you narrowed the scope of your trust? Do you actually know anyone at a so-called trusted certificate authority? And if the security certificate is signed by the web site operators themselves, how is that any better, or any worse, than if it is signed by some mysterious certificate signing authority?
There are only a handful of root signing certificate providers. Why is that? Well, fundamentally, it is because governments don't trust people with the ability to encrypt, nor to use cryptographic algorithms to sign anything. In order to be a root signing certificate provider, very large companies got involved very early in the process.
Therefore the process of becoming a root signing certificate provider is centralised. The small number of participants makes it a very lucrative cartel.
How lucrative? So very lucrative that I cannot tell you what it would cost your organisation to purchase the ability to sign certificates from one of these root signing certificate providers. They will “evaluate” your enterprise and take whatever they can get away with taking for the privilege of providing you with this ability.
Each certificate provider has different requirements for trusted root signing certificates. Most will require something similar to the following:
- Identities of all the people working on software systems for the company.
- Substantial net worth for the company, or the individual developer.
- Proof of insurance against liability, to a high value.</P>
- A certification practice statement outlining the company's exact policies on issuing and managing certificates.
- A FIPS 140-2 Level 2 compliant device to generate and manage your root certificate keys.
Obviously, a system with such features is fraught with peril for the individual software developer, especially anyone who wants to develop software that challenges the system in significant ways.
There are, of course, various alternatives. GeoTrust offers a “trusted root signing certificate” capability for various price points from $99 to $499. Of course, then you have to wonder how widely your signed certs are going to be trusted, and that depends on browser and app developers over whom you have no control.
Another alternative is the self-signed certificate. Organisations can generate their own certificate authority, sign their own security certificates, and deal with the fact that browsers and apps are going to throw up warnings about untrusted certificates. Or, to be candid, your browser is going to lie to you about the danger and tell you not to trust something that doesn't have the approval of a member of the cartel.
Of course, there are opportunities in any situation where a handful of giant corporations corruptly allocate worldwide security certificate authority, as seems to be the case. The same kind of thinking that has been applied to finance by Bitcoin and to domain name registration by Namecoin can certainly be applied to security certs.
To give you a sense of how centralised the market is, consider this W3Techs survey from February 2015.
Issuer Comodo might differ in the exact figures.
|3.||Go Daddy Group||13.2%|
On 18 November 2014, a group of companies and nonprofit organizations, including the Electronic Frontier Foundation, Mozilla, Cisco, and Akamai, announced Let's Encrypt a new nonprofit certificate authority that plans to provide free SSL certificates, as well as software to enable installation and maintenance of certificates.
Kaspersky Labs says that about 6,000 security certs signed by “untrusted authorities” were identified by them in 2014. They also note about 110,000 certs signed by what they regard as more trusted authorities. Their concern seems to be that malicious software (mal-ware) may be lurking at some sites with self-signed or “untrusted” authority-signed certs. Their “answer” is to only use software and only trust the big giant conglomerates.
Of course, sites with “acceptable” security certificates may be taken over by criminal hackers without your knowledge. Mal-ware may be compiled at companies which aren't careful with their security protocols and thereby get signed by a “trusted” company. Or private keys may be stolen and used to sign certs.
So, it is a very dismal situation out there. And, of course, because giant conglomerates are often government contractors, and almost invariably fear the things a government can do to them, there is no way for you to know if the security cert your browsers and apps automatically trust has not been replaced by direction of a government authority. Some of the ins and outs of that possibility are described in this interesting Riseup article.
Given these many concerns, you should probably implement Cert Patrol or something similar. What is Cert Patrol? It is an add-on for Mozilla's Firefox web browser. Similar products are available for other browsers. The function it performs is to look at the certificates that come into your browser, notice when one is changed, and alert you to this fact. In the case of Cert Patrol in particular, it also indicates what is interesting, routine, or very dangerous about the nature of the changed cert. So, you have some help in evaluating whether or not to accept a new cert.
For my own part, I don't trust certs issued by certain organisations, notably Facebook and Microsoft. So, I will routinely reject those certs. You are free to pick and choose which certs to accept, reject, or monitor, of course.
Other ways to protect yourself that you may find interesting: You can ask for the secure web site every time by using https everywhere. As you can see from the link, it is a product of the Electronic Frontier Foundation, a group of people dedicated to freedom on the electronic/info-tech frontier. You should prefer the encrypted web site available with https because you want your browsing and your online activities to be encrypted whenever possible. Or, you should, if you value your privacy. Many sites offer both http and https versions of the same content, so why not grab the encrypted version?
AdBlock Plus can help you enjoy your browsing experience while blocking access to your private information. AdBlock is an open source add-on for various browsers. Because it is open source, you can find out all about what each line of code in the programme does. You might find it helpful to block ads that urge you to install software, especially if other people use your computer. Anything you, or one of your friends, installs on your computer can do various things to share your private data. AdBlock has a white listing policy which may be helpful to sites you like that rely on advertisers to pay for their site content.
Better Privacy is another add-on you might like. It can help you monitor and remove local stored objects (LSOs), a particularly powerful type of “cookie” that some sites may want to place on your computer. LSOs never expire, so you have to know to delete them, unless you have a utility like Better Privacy to do it for you.
LSOs use 100 kilobytes of storage compared to most cookies which are limited to 4 Kb. Many browsers cannot display nor manage LSOs. Worse, they can use Flash to send information from your computer, including personal, technical, and browser-history information to a server elsewhere on the web. So, they leak your information without your knowledge. They are far from harmless.
Finally, there is open source. Open source software is not only for people who know how to read software code, it is for everyone. Because software coders are a large and growing community, and because they communicate rapidly, effectively, and frequently, anything that can be known about a software package is going to be known very widely. In the case of open source software, what can be known is everything. And, frankly, what you want to know about the software you install and use is: everything. Since you cannot take the time to know everything about all the possible software in the world, you are better off if you can rely on the open source community to help you.