Know the limits of SSL certificates

All SSL certs are not created equal, and web browsers make matters worse by not clearly showing what security you’re actually getting

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Certificate authorities (CAs) have given themselves a black eye lately, making it hard for users to trust them. Google stopped trusting Symantec after discovering the CA had mis-issued thousands of certificates over several years, and researchers found that phishing sites were using PayPal-labeled certificates issued by Linux Foundation’s Let’s Encrypt CA. Even with these missteps, the CAs play a critical role in establishing trust on the internet.

CAs issue different types of certificates, and each type addresses a different internet security use case. Here’s what you need to understand about certificates and online trust, so you know what is happening behind HTTPS—especially now that free CAs have made it so easy to get certificates.

How certificate authorities lost your trust

Let’s Encrypt, a free CA operated by the Linux Foundation’s Internet Security Research Group, is taking a pounding for issuing 15,270 certificates containing the word “PayPal” in either the domain name or the certificate identity. The sites using those certificates weren’t PayPal properties, and nearly all (97 percent) of the domains hosted phishing pages, said researcher and encryption expert Vincent Lynch.

A researcher earlier this year found issues with several hundred Symantec-issued certificates, prompting Google to conduct its own investigation. After discovering that Symantec allowed other parties access to its certificate infrastructure and did not oversee the process sufficiently, Google Chrome developers said they “no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.” Symantec has promised to reissue all its Transport Layer Security (TLS) certificates to comply with Google’s new validity period requirements.

Those are only two examples. There have been missteps by other CAs over the past few years that have led to the current doubts about their trustworthiness.

What the different certificates actually mean

There are many reasons a domain owner may decide to obtain a TLS/SSL certificate, but the most common one is to give users a way to verify that the site is authentic and the owner is legitimate. Another reason is that—in this day of rampant surveillance, tracking, and eavesdropping—there is growing interest in encrypting all traffic moving from the user’s computer or mobile device and the web server hosting the application.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.