Blog

SSL Certificates - 23,000 reasons to have one

15 December 2017

Some Key Facts

Data delivered over an unencrypted channel (HTTP ) is insecure, untrustworthy, and easily intercepted. 

  • Passive and active attackers can listen in
  • Active hackers can tamper with data
  • Active hackers can impersonate the destination
  • 80% upwards of visitors to an online store will not buy without an SSL certificate in place

The Good News

  • Google gives your website a small ranking boost if you have an SSL certificate. 
  • An SSL turns your URL from HTTP to HTTPS and you get a security padlock preceding the url.
  • Visitors communications with an HTTPS website are encrypted.
  • SSL encrypts data both in the content itself and in the messaging vehicle.
  • Credit card details, passwords and personal information are safe. 
  • An HTTPS website means that the website ownership and server details have been verified as genuine.
  • You can securely use free unsecured wifi, from a cafe for example, if visiting an HTTPS website 
Google Chrome Browser security grading as seen on websites 
 
 
 
Google are using the carrot and stick approach, to get people to adopt HTTPS as a standard by highlighting the risks and vulnerabilities of non secure (HTTP) websites to you, and if you have a website, to the attention of your visitors.
The carrot is security and an admittedly small boost to the rankings of websites that do have an SSL certificate , but also eligibility for certain technical advantages such as GEO location.
 
Which is the dominant browser?

The warnings prefixing website urls are specific to the Google chrome platform only, but as shown in the following table it is the dominant browser on mobile and desktop devices.
 
 
 
Historically SSL certificates are more generally associated as an essential component of ecommerce websites.
 
HTTPS protects the privacy and the security of people who use your website for whatever reason.
 
An SSL certificate encrypts the data that flows between your browser and the website you are visiting.
 
This means that when you visit an HTTPS website and you fill in forms with your credit card details, name, address, phone numbers, passwords, your mothers maiden name and all the other seemingly incidental data the content is protected by the encryption.

I don't have any forms on my website, so I won't need one
 
Nowadays hackers, clever people, exploit accumulations of information to build up aggregate profiles of individuals and companies and behavioural patterns.
 
They can do this by planting malware on your website or by manipulating the website to redirect people elsewhere or simply by intercepting traffic content and eavesdropping.
 
Malware - from the web direct to your pc
 
Another good reason to get an SSL certificate

Twenty three thousand websites compromised in December 2017
 
Websites that have malware on them install malicious code onto your computer when you visit them.

This can be done when you consent to download files that are infected or by being unaware that anything has been downloaded at all.

The malware then captures and sends sensitive user data from your computer to the hackers repository. 
 
Phishing Websites.
 
Growth in phishing and malware websites
 
720 thousand websites impersonating legitimate websites
 
There are a lot of very sophisticated scams that request you click on a link in an email to your bank or to an online store.
The destination website is in fact a website clone, virtually identical to that of your bank with a very similar domain name.
 
You input your login details and the hackers have then got initial vital information.
Of course the login details you use invariably are randomly selected digits from your password and on their own do not fully compromise you.
 
Links will take you to the genuine banking website 
 
But you are taken directly to an "Update your password" page.
The page is branded to your banks livery, it has warnings typical of all banking websites that urge you not divulge your account details and which, if you click on them, will in fact take you to the genuine banking website.
 
But the process continues when you are requested to change your password first by inputting your current password and then by inputting your new password and confirming it and at this point you have given the hackers access to your account and in all liklihood between the genuine and the new password a good chance of accessing other services you use as well.
 
Nobody has "got your back" but you:
 
"NatWest bank spat prompts web security changes"
 
As recently as 12th December this year the Natwest Bank was operating unsecured websites.
Moreover the websites had nominated links to "Login" to access accounts.
 
When challenged, the bank, via their  twitter account apologised and promised to feed the concerns back to the tech team.
However the bank told the BBC that they would apply an SSL certificate and within 48 hours the website had HTTPS status.
 
Not just NatWest caught unawares

Lloyds and Halifax websites accepted both HTTP and HTTPS, but also similarly resolved the situation  two days later.
 
Hackers actively target "high value" websites that can realise some return on investment, but before you assume the "I'm well under the radar" stance the  malware "bots" and scripts that are running on automatic do not make any distinction. The website is either vulnerable or not and your everyday practices will contribute to your own security.
 
 
 Natwest bank without an SSL certificate
 

The screenshot above courtesy of The Wayback Machine shows the archived website on 7th December 2017 without the HTTPS prefix and the highlighted exploitable "login" link.
 
The image below a few days later shows the same website with the added SSL certification displaying the HTTPS.
 
Natwest adopts the https status after criticism
 

If as a website owner you collect data from customers during purchases, have a subscribers list, use a booking system or a blog, then these details need to be protected.
 
 
An SSL certificate acts a bit like a passport. It is a digital certificate issued by a trusted certificate authority.
This authority verifies the information submitted on an ssl certificate application is legitimate prior to issuing it to an identified website.
 
It authenticates the website name and the identity of the web server it resides upon and verifies that the website owner is really who they claim to be.
 
When someone visits a website the browser ie. Chrome, Firefox , Safari, Explorer etc does a check to verify that the website is what it is supposed to be just like passing through customs, but a darn site quicker.
 
It also flags up to the site visitor if all is not as it should be, the example below relates to an expired SSL certificate..
 
 
SSL encrypts data both in the content itself and in the transport mechanism that is used to send the data to a destination on the Internet.
 
The first of the following two images shows a screenshot of our website with an ssl certificate and the information associated should you click on the padlock.
 
 
In the second image ,for demonstration purposes, we have edited the code and removed the "s" from the https in the URL of an image on that page. The browser has instantly recognised that though the site is HTTTPS it is open to compromise and downgraded the security status to "information or not secure".
 
It also highlights that relevant to the image that we edited, it is now open to manipulation by a hacker.
By default this means that every website without an ssl certificate is completely open to interference. 
 
HTTPS with minor errors uses the same indicator as HTTP
 

 

SSL certificates are only as good as the issuing Certificate authority (CA)

If the CA is compromised, has inadequate internal auditing and control systems, allows certificates to be maliciously acquired or goes rogue then effectively the validity of all of the SSL certificates issued by that CA cannot be trusted.


An SSL certificate attached to a website effectively states that:

  • The website owner is as displayed on the certificate and that it has been verified.
  • The domain name/ website is also identified and associated as being hosted on a specific identified server.
  • The data between the browser and the website is also encrypted.

 

HTTPS - Is this full-proof?

So it's one thing, knowing that all HTTP websites are vulnerable to website spoofing, server impersonation and data interception.

The main cryptographic system which underpins the HTTPS certification system is reliant on the trust in the integrity of the Certificate Authorities.
Where this is compromised and it has been, then we really are on the back foot.

Malpractice

There have been numerous instances where SSL certificates have been issued wrongly (malicious or otherwise) and they have not been detected for weeks and in some cases months and there are Certificate Authorities that have been shutdown.

The problem is that there is no feasible, effective way to monitor ssl certificates in real time.  

Fake SSL Certificates

In one instance fake SSL certificates were used to impersonate numerous sites in Iran, such as Gmail and Facebook, which enabled the operators of the fake sites to spy on unsuspecting site users.

Certificate Transparency Project - 2103

In 2013 Google published an article for an experimental protocol to address flaws in the certification system.

Google's Certificate Transparency Project was created to tackle the problems and the The 'trans' IETF WG was established to create a standard RFC (request for comments) for Certificate Transparency. 

The task force was established to establish a "protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit certificate authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves." 

The intent is that eventually clients (browsers) would refuse to honour certificates that do not appear in a log, effectively forcing CA's to add all issued certificates to the logs."

Fast - Forward to 2017

More specifically, at Dec 20th 2017 there have been 840,037,345 entries made to the set of Certificate Transparency logs that Google monitors by Certificate Authorities logging registered SSL certificates and getting Signed Certificate Timestamps SCT's from them.

Deadline

Google has announced that all types of SSL certificates issued after April 2018 that are not CT qualified will not be trusted in Chrome.

A list of known and included Public logs can be found here and also Public logs that are "completely distrusted by Chrome and finally Public logs that have been rejected by Chrome  

Three additional core components compliment the existing certification system in the Certificate Transparency framework.

 

1. Certificate logs

2. Certificate monitors

3.Certificate auditors

 

Certificate logs - The Certificate Authority when issuing an SSL certificate to a domain will register it on a public certificate log and will get a signed certificate timestamp (SCT)from the log which will be incorporated into the ssl certificate denoting the time of issue, the identity of the Public log it was registered with and the specific certificate it was allocated to.

Certificate monitors - Monitors watch logs and retrieve updates to the logs on a regular basis so at certain points the Monitor has all the data that the Log has.In addition logs do not permit appends, i.e the insertion of data into existing data, so "new" certificates can not be inserted and backdated.

Monitors, by the same token, when they retrieve the latest logs including the most recent certificates can do a comparison that the new retrieval excepting the new certificates mirrors their own records exactly.

In addition Monitors share data with other monitors and with Auditors.

Certificate auditors - the majority of these are actually built into the web browsers.

What happens here is that the browser visits a website and validates(via a TLS handshake ) the SSL certificate and its signature chain and it also validates the log’s signature on the SCT to verify that the SCT was issued by a valid log and that the SCT was actually issued for the certificate (and not some other certificate).

Summary

Against a backdrop of increasing malware which have no geographical limitations, cleverly designed phishing websites and legitimate websites being compromised, the prudent course of action is obvious.

Good News

The certificate transparency project enjoys the support of other browsers who it is indicated are participating and will implement the same tactics as Google Chrome and the approaching deadline of April 2018 when CTA’s who do not participate in the scheme are not recognised by Google Chrome and other browsers is a welcome milestone.

The Threat

The costs of remedying compromised websites, not to mention damaged reputations, significantly outweighs the token investment of an SSL certificate and recent events suggest that there is still quite significant naivety at corporate level regarding online security.

 

Index:

SSL - Secure Socket Layer

CA - Certificate Authority

CT - Certificate Transparency

SCT - Signed Certificate Timestamp

TLS - TLS Handshake Protocol. The Transport Layer Security (TLS) Handshake Protocol is responsible for the authentication and key exchange necessary to establish or resume secure sessions.

Cryptography - is the practice and study of techniques for secure communication in the presence of third parties called adversaries.

Reference sites: 

https://www.certificate-transparency.org/

https://www.chromium.org/Home/chromium-security/root-ca-policy

https://www.netmarketshare.com

https://archive.org/

 

Comments

Post a comment

Recent Blogs