Trust on the internet: Vital, but more complicated than ever

Encryption, and our trust in it, is what makes the web so powerful - but there's plenty that could undermine that.
Written by Mary Branscombe, Contributor

Trust on the internet: hard to establish, much easier to undermine.

Certificate authorities (CA) issue the certificates that encrypt connections to secure websites, so it's key that we trust them. That's particularly true for EV certificates - the ones that turn the address bar in IE green - because they're supposed to be issued through a more secure process than usual.

That doesn't always work well, however. Last year Google announced that from 1 June this year, Symantec's CA would support Certificate Transparency for its EV certificates; if it doesn't put its EV certs in the Certificate Transparency Log, sites using them will be marked as Untrusted in Chrome which "may result in interstitials or other problems when used in Google products".

That comes after Symantec mis-issued a number of certificates for domains that Google and Opera own to people who weren't Google and Opera.

Symantec said it had issued 23 test certificates for five domains without the domain owner's knowledge; Google found more than that, and eventually Symantec said it had mis-issued another 166 certificates for 76 domains (and 2.458 more for domains that had never even been registered). It's not just Symantec: Chinese CA CNNIC last year was also found to have allowed another company, MCS Holdings, to issue certificates for its own domains; MCS apparently put the key it was using for that in a network proxy that it treated as a public certificate authority.

Why does all of this stuff matter? Man-in-the-middle attacks let someone change where you end up when you type in a URL: your browser thinks it is talking to the server you asked for on an encrypted channel, and the server thinks it's talking to your browser, but they are both talking to an attacker who is sitting in the middle of the connection, telling each side what it wants to hear.

Attackers can send you to an account that isn't your bank, or swap out ads on the page you visit for malicious trackers - or just a different set of ads, which is what Lenovo was planning to do with some of its laptops recently.

Malicious man-in-the-middle attacks using a certificate that doesn't come from a well-known and trusted CA get caught immediately by most browsers, which is why Google demanding Symantec jump through extra hoops shows a definite lack of trust.

There are legitimate reasons for similar practices. Managing how domains behave on your own network is why letting a network proxy 'man in the middle' connection is something a business might well want to do, without any malicious intent. You'd want them in a network security appliance, so you can fake the domains that ransomware and other malware is trying to connect to, in order to check out what it does without putting your test systems at risk.

Bluecoat does that in its ProxySG Secure Web Gateway, using a feature called Encrypted Tap which it says will "filter web traffic, identify cloud application usage, provide data loss prevention, deliver threat prevention, and ensure visibility into encrypted traffic".

That way, you can check and archive even encrypted traffic, which you'll need for finding attacks and spotting data leaking out of your systems that's been encrypted by the bad guys or even malicious employees.

But do certificate authorities need to do better at deciding which certificates should be issued to who?

I asked Matthew Prince, the CEO of CloudFlare, a service that started out as content delivery network with DDoS protection but has branched out into DNS and security services.

"The problem is that certificate authorities try to do two things at the same time: they try to establish identity and they set up encryption," he told me. If you were designing the system now, he suggested, "you probably would have created a more lightweight way to establish encryption and keep the identity portion off to the side. The fact that they handle identity as well, that intermingling makes it tricky problem."

He compared it to the situation with Let's Encrypt, a service that uses CloudFlare technology to offer free encryption certificates to encourage all sites to give you a secure connection. "What they say is 'we made it super easy to get encryption certificates, of course bad guys are going to use this and it's a net good that we can provide certs much more easily and affordably to all customers'."

He also notes that if a PayPal phisher uses a Let's Encrypt certificate, it's easy to withdraw that - which you couldn't do if they had created the certificate on their own infrastructure.

"Part of the problem is that the revocation process for certificates is so broken," he adds: OS providers and browsers need to handle revocation and you can't make it too easy or that will be used to attack someone as well.

Increasingly, it's not the traditional certificate authorities like Symantec that have the final say with certificates; providers like CloudFlare and browser companies like Google are increasingly active in managing trust too.

What we don't yet have is an easy way for users to understand what's happening.

Read more on security

Editorial standards