Tuesday, 11 April 2017

Trust issues: Know the limits of SSL certificates


Certificate authorities (CAs) have given themselves a black eye lately, making it hard for users to trust them. Google stopped trusting Symantec after discovering the CA had mis-issued thousands of certificates over several years, and researchers found that phishing sites were using PayPal-labeled certificates issued by Linux Foundation’s Let’s Encrypt CA. Even with these missteps, the CAs play a critical role in establishing trust on the internet.

TLS/SSL certificates have a usability problem because web browsers mark all HTTPS websites as secure—and users have been trained to look for the padlock or the word “Secure” to determine the site’s legitimacy. Yet all that padlock or the word “Secure” indicate is that the communications is encrypted. It doesn’t say the owner has been validated. A site can be encrypted and still be unsafe because the owner has been spoofed by a phisher or other malevolent force.

In other words: just because the site that you are visiting has a padlock, don't automatically assume that it's kosher!