Whether or not you’re aware of it, a large part of the system that lets commerce happen over the Internet really operates on little more than trust. It’s backed up by technology, but it essentially relies on businesses all over the world trusting that a small number of organisations are doing their jobs properly.
Without this network of ‘trust relationships’, most of what we do on the Internet would be – at best – a gamble, and more likely just wouldn’t happen at all. No one wants to start sending payment information around the world if they don’t have some kind of guarantee that it’s safe.
It’s recently been revealed that part of the system of ‘trust’ that makes the Internet work has been eroded. It’s not a complete collapse of that system, of course – that would make far bigger headlines – but it does highlight just how much we rely on a vanishingly small number of organisations.
So, what happened?
Just a few days ago, a certificate authority ordered a whole raft of certificates (around 50,000 of them) to be withdrawn – that is, they’ll no longer be acceptable as proof that an organisation is who it says it is.
This is because the certificates were incorrectly issued by the ICAs (intermediate certificate authorities), so they’re betraying the trust that the certificate authority had in them.
To really understand what this means, you need to understand what a certificate is and what it represents.
When you want to send confidential information between two points, you generally need that information to be encrypted so you can be sure it’s safe. So far, so good – you encrypt the information and send it off to the recipient. Once they receive it, however, they need to be able to decrypt it.
This is where certificates come in. A certificate is a guarantee from an authority that an organisation is who it says it is. In the background, certificates also tell your computer how to encrypt information such that only that organisation will be able to decrypt it.
So, if you have a third party guaranteeing that the organisation you’re about to send information to is legit, and you have a secure way of sending that information, you’re (theoretically) perfectly safe to send your payment information.
You can inspect certificates through your browser by clicking the padlock icon in the address bar – it’ll provide some information about the website itself, the organisation that issued the certificate and the parent certificate authority.
Certificates are often sold by intermediary organisations that are approved by an organisation higher up in the chain, so it is common to see certificates that list a number of organisations, with each organisation stating that it trusts the one immediately below. This is the chain of trust in action.
Back to the issue with the certificates
The problem in this case is that the ICAs hadn’t been authorised to issue the specific class of certificate (which was meant to be a very high-trust certificate – the gold standard).
This means that the certificate authorities wouldn’t audit those certificates to make sure they really were accurate, so the whole notion that the certificate proves the identity of the certificate holder is pretty much blown out of the water.
This isn’t the only way certificates can go wrong
In some cases, the chain can get muddled, which usually won’t cause issues, but it can look quite suspicious.
In a case very close to home, a certificate on our website included an entirely optional (but good practice) link pointing at the issuer’s statement page, which sets out information about how the certificates are managed, and so on.
The problem was that the certificate on our website linked to a page on a website owned by the issuer, but it had a certificate for another one of its brands – the company had been purchased several years ago and gone through a process of rebranding.
This meant that browsers visiting the page on the issuer’s site would generate a warning. This didn’t affect proof of ownership of our website or the keys used to encrypt data, and was not a major mistake by the certificate authority, but it was not correct. Although the issuer’s statement is not mandatory, if it is used, it should be correct.
Certificate authorities have strict rules they must follow if certificates are to continue to be trusted. This mistake also doesn’t look good to our customers, so we’ve purchased a new certificate from a different authority (which we’ve checked several times to make sure it’s correct).
In reality, browsers and SSL-checking tools would have shown the certificate on our site to be good and secure, and the locked padlock was being displayed in the browser.
Very few of our clients would have even noticed the problem, and those who know about certificates in detail would have realised it was a mistake by the issuing authority with no impact on the security of the website.
However, none of this is meant to happen, and it highlights just how fragile the systems we rely on really are. The certificate authorities themselves have industry bodies to try to make sure this sort of thing doesn’t happen – but it clearly does.
In the first example, the ICAs should absolutely not have been issuing the gold-standard certificates, while in the second the ICA should have cleaned up its own certificates as part of the rebranding, and certainly shouldn’t be putting incorrect information into them. That one is a boggle for the ages.
It’s important to remember that seeing an invalid certificate or an insecure website doesn’t mean that the error is on the part of the certificate authority or ICA – it’s entirely possible that the certificate has expired or the website owner is otherwise at fault.
It’s also possible that the website just isn’t secure or has been set up by cyber criminals. If you do see an invalid certificate, you shouldn’t ignore the warning. If you trust the website owner, it’s best to send them an email or a message to let them know – they’ll certainly be grateful.