As you should know, there are two different types of connections to websites:
- HTTP is used in most situations, but that is completely insecure.
- HTTPS is used by banks, shopping sites, and others, to keep your log in, bank balance, credit card numbers, and personal information private.
The “S” in HTTPS stands for “secure” and it is the best protection that the websites themselves can provide for your use. But there are still various flaws in HTTPS. Last week I wrote about the underlying encryption technology, called SSL, which has recently been shown to be breakable.
Another serious flaw in HTTPS involves something called Certificates — which act much like a passport. Passports identify who you are and where you came from. Certificates identify the name of the website and who is responsible for it.
Before you enter a site with HTTPS security, your browser examines the Certificate for the site and tries to determine whether it is legitimate.
As with passports, however, a Certificate is only as reliable as the organization that issues it.
Certificates are issued by designated “Certificate Authorities,” but as the web has grown, many more Certificate Authorities have been approved to issue Certificates. Some, naturally, are more careful and reliable than others, and certainly some amount of chicanery must be going on.
Some passports are designed to be more difficult to counterfeit than others, and the same is true with the way that Certificates are used. A website uses a portion of their Certificate to enact the encryption for HTTPS, but the amount of rigor in their encryption standards varies widely. Some are strong, of course, but some have only very weak encryption which is easily broken.
Finally, just like passports, Certificates can be stolen. Recently, a hacker from Iran broke into several Certificate Authorities’ websites and created a large number of fake certificates.
As the New York Times reported:
“The fruits of his labor are believed to have been used to tap into the online communications of as many as 300,000 unsuspecting Iranians this summer. What’s more, he punched a hole in an online security mechanism that is trusted by millions of Internet users all over the world.”
Forged, Flawed, or Stolen
Certificates can be forged, flawed, or stolen. In fact, some security experts say that the Certificate system is “broken” – and there are no remedies on the horizon.
How important is that? Well, very important, actually. Because if the Certificate system is no longer fully reliable, then HTTPS, and many other parts of the Internet security system which also use Certificates, are not reliable either.
To understand the dangers of fraudulent or stolen certificates for HTTPS, we have to turn the passport analogy on its head. Passports identify you to the country that you are about to enter. Certificates tell you whether the site you are about to enter is actually the one you expected it to be.
It is the Certificate which is supposed to tell your browser that the Gmail or banking site you are about to enter is genuine – well before you enter your user name and password.
For most of us, a fake website can have consequences ranging from loss of privacy to credit card or identity theft. Serious, but recoverable.
Let’s go back to our Iranian hacker. He acknowledges that his objective was to thwart government dissent in Iran. It is likely that he was after email communications and the like among activists. And in this situation, the consequences to the victims could be death.
[…] relies on a system of easy-to-forge certificates. As I wrote last week, the certificates can be forged or stolen. Using a fake certificate, someone can set up a website […]