The internet has revolutionized every aspect of modern society, from business to communication toentertainment. High-speed internet access worldwide means finding the information we want is easier thanever before. But these perks come with some downsides, too.
Security issues arise when data is exchanged over the internet. The world wide web relies on trustworthyentities to keep everyone's data safe. All major web browsers, like Google Chrome and Firefox, use SSLcertificates to safeguard any data sent from web servers and maintain the trust of people surfing theinternet.
Certificates like SSL certificate underpin online security and privacy during our online communications. Datapinged across the internet is kept safe through encryption. Encryption scrambles the data into somethingcompletely meaningless to anyone except the intended recipient (the only party with a secret key to accessthe data).
You might have thought that SSL if just for e-commerce sites to protect payments. That’s no longer the case.SSL certificates are invaluable for every website - because all websites have something of value forhackers: their reputation.
Internet users today are savvy customers, recognizing when a site uses SSL. This digital certificateincreases trust in a company’s website, and ultimately of the company itself. Reputation proves a compellingargument for setting up a secure site. Whether you collect data or accept payments, authentication,confidentiality, and integrity are indispensable in all cases.
Certificate authorities (CA) are entities responsible for issuing digital certificates likeSSL to websites. In layman's terms, a digital certificate is an electronic password that allows exchangedata securely over the web using the public key infrastructure (PKA) - which we’ll come to.
Why do sites need digital certificates?
Digital certificates are encrypted so they guarantee that the contents of a message have not been alteredduring communications. They contain data files used to verify identity credentials. This process offerswebsites a way to represent their ‘authentic’ online identity to avoid any other parties stealing theironline identity.
In the eyes of web browsers, the site is authentic because the certificate authority has verified they arewho they say they are. This way, the recipient of a message send with SSL encryption can expect that thedata is coming from a trusted source.
The role of the certificate authority
CA’s ‘membership' programs were established where a certificate authority must meet strict criteria to gainmembership. Once accepted, the trusted-CA can issue SSL Certificates, the ones that trusted by browsers,mobile devices, and operating systems to operate authorized and therefore the people and devices relying ontheir certificates.
The most important role of the certificate authority is to check the legitimacy of the individual ororganization before issuing a certificate. There are a small number of certificate authorities worldwide,including RapidSLL, DigiCert, LetsEncrypt. The most recognized names in the CA industry are Symantec andComodo. These brands sit at the top of the list of trusted certificate authorities.
Other parties involved
Certificate Authorities support the public key infrastructure (PKI). PKI is the system for creating, storingand distributing digital certificates that verify if a particular key belongs to a certain entity. PKI ismade up of several layers who take on individual tasks. The Certificate Authority that stores issues andsigns the certificate.
The registration authority that verifies the identity of the digital certificate to be stored at the CA. Asecure location called the central directory stores and indexes encryption keys. A certificate managementsystem that oversees things like access to or delivery of certificates, and a certificate policy that statesthe PKI’s procedures. This lets people scrutinize the PKI’s trustworthiness.
Trusted CAs hold the key to web security
PKI is a complex infrastructure for managing digital certificates and it would all fall apart without trustedcertificate authorities. The problem that PKI solves stems from the difficulty of verifying that a publickey is actually owned by the person or entity that claims it. Hence the use of digital certificates and PKI.
This is why we are so dependant on Certificate Authorities. If the PKI were to operate without CAs, theinternet would revolve around a mass of unverified digital CA certificates, some of which could also be usedmaliciously. How would we know which was authentic when there’s no way to verify ownership of them. WithoutCA’s, anyone could misrepresent ownership of a digital certificate, website, or organization. Certificateforgers can cause a lot of damage, including but not limited to reading and steal sensitive data that isthought to be encrypted.
Most web-browsers are designed to help with detecting false digital signatures. Traffic coming fromnon-browser software or mobile apps, however, may not have been built to correctly check the legitimacy ofan SSL certificate leaving their business and users wide open for abuse. The best way to avoid falling foulof this practice is to stay informed and go with a CA that has a good track record when it comes tosecurity.
CAs are charged with proving ownership of digital certificates, and by extension, each certificate’s key. CAswork closely with the browsers community to create guidelines aimed at ensuring optimal web security. Forthis to run smoothly, they’ve invested heavily in their own infrastructure. Their reputation is critical forthis process to work. Carefully crafted checks are in place that is capable of dependable identificationverification and others to issue digital certificates properly.
How digital certificates are issued
After an SSL certificate is ordered, the certificate authority goes about verifying the identity of theapplicant. The extent of their checks depends on the level of validation required. The two most common typesof validation include Organisation Validation (OV) and Domain Validation(DV).
Company validation verifies that the organization requesting a certificate is, in fact, the organization towhich the certificate is being issued. The aim of domain validation is to ensure that the individualrequesting a certificate has the authority to request a certificate for the domain in question.
What do they check for?
For a basic Domain Validation certificate, a certificate authority checks ownership over the domain, and ifthe applicant passes their checks, a certificate is issued. Organization Validation involves more stringentchecks. The CA will vet the organization applying though business registration records and credit reports.These extensive checks can take up to five days. Once the CA is satisfied, the certificate is issued.
It’s then up to web browsers and devices to verify the validity of a given certificate. Something called a‘root’ certificate is at the center of this trust model. Once a root certificate is issued by a trusted CA aweb browser accepts it into its root store – this is simply a database of approved CAs that comepre-installed with a browser or device. Most operating systems operate a root store including Apple,Windows, Mozilla Firefox and so on.
Who monitors certificate authorities
The certificate authority system has one obvious flaw. It’s assumed that CA themselves are trustworthy. Whilethis might be the case, CA’s aren’t running unregulated. They operate within a framework of rules andrequire third-party qualified audits through WebTrust or ETSIand to be sure they are being adhered to. Theyare vetted for activities which might undermine trust in their operations. Anyone operating outside of theprotocols will face negative consequences.
There are two sets of rules governing CAs. First are the browsers and applications that use of SSL digitalcertificates. Additionally, the browsers and certificate authorities jointly set rules through guidelinesand requirements. These additional rules are approved by the CA/Browser Forum, and set the standard for public certificate authorities worldwide.
Recent developments
Trust in SSL has taken a hit in recent years. Cybercriminals have increasingly targeted internet users byfinding ways to issue their own certificates. As it stands, the system isn’t perfect. There have been somehigh-profile examples of CA’s issuing unauthorized certificates. In response, Google established a digitalcertificate logging system known a Certificate Transparency (CT). The new systems require that allcertificate authorities log every digital certificate they issue. These logs keep tabs on digitalcertificate suppliers that go rogue.
The CT project helps protect Google Chrome users. Now, anyone browsing the net through Chrome happens tolands on a website with an ‘unlogged’ SSL certificate will receive a warning message that the site’s SSLcertificate isn’t compliant with Google Chrome’s transparency policy and as such, might not be safe.
Certificate authorities and the future of internet security
Logging SSL certificates is just the start of Google’s plan for a safer internet. You might have read theheadline “Google wants to kill the URL.” It’s a hot topic on the tech blog scene and could provide a unique opportunity for CAsgoing forward. To briefly summarize; Google wants to get rid of URLs in a bid to make the internet safer.The problem with URLs is that they aren’t universally understood, and hackers take advantage of this tocommit cybercrime.
Google is looking to find a suitable replacement that can make browsing the internet more secure while alsooffering a solution for businesses to assert their identity in a way that is unmistakable to internet users.
Who can help with that? Certificate authorities. They already have the infrastructure to validate onlineentities and can put this to use affirming corporate and web identities. Anyone operating a business onlinewould make ample use of the more trusted mechanism. One that confirms their authenticity to customers orusers in a clearer, more visual manner.
While the big browsers have the financial resources to take on this task, building up the know-how andapparatus would take a lot of time. Authenticating identities is probably not something most of the browsercommunity would want to take responsibility for. The most logical answer is to outsource the authenticationprocess. Given their expertise, the CA industry seems like the most likely candidates to turn to.
