Certificates: trust is good, control is better

We all know the expression ‘trust is good, control is better…’. As a security expert, I regularly debate about the use of certificates. I have noticed that certificates are considered as the silver bullet for resolving a myriad of security issues. However, the cognitive bias is not in the use of certificates, but in the trust we place in the certificates.

Certificates are used for numerous security measures. The most prominent is the https (ssl) website. First of all, the certificate is used to encrypt the information between my browser and the webserver. Secondly, the certificate is used to prove that the correct website is shown. If I come across the incorrect website, a red bar or error message is shown, depending on the type of browser that is used.

Trusted suppliers

How does the browser detect the correct website?  The website delivers, besides a key, a certificate to my browser. This certificate contains a digital signature of a certification authority (CA). Often, the owner of the website created a certificate that has been signed by a public CA. These are (most of the time) companies that sign the certificate for a modest payment. My browser examines this signature and its origins. Subsequently, it searches for the organization in a list of trusted certificate suppliers. If this organization is present on the list, then it is a trusted certificate.

The list with trusted suppliers is connected to my browser. The creator of my browser has determined the suppliers on this list. In practice, this means that you trust the Google, Microsoft, Apple or Mozilla community. One of these organizations has determined which certificate supplier is to be trusted for you. The reliability of a certificate supplier can be called into question. Most of the time, this points to one word: DigiNotar.

Convergence (SSL)

As an alternative, Convergence (SSL) has been developed. The idea behind Convergence (SSL) is that multiple sources determine if the certificate is reliable. Such a source is called a Notary. Each Notary votes if the certificate is correct. If one or more of the Notaries declares the certificate as hazardous, the user is able to select the next step. As user, you place your trust in the knowledge and skills of the different Notaries. However, who are these Notaries? Google, Microsoft, the American Government, Brussel, or do we create a complete new organization? For this system, we will assign the reliable sources as well.

The use of certificates relies upon trust. Each solution that uses certificates and/or keys for security demonstrates the same shortcoming. Everything starts with trust. This is where you are given a choice.

CA hacked

As certificates are used intern predominantly, you are able to use your own CA or PKI. Then, you decide which sources are reliable. However, the problem is that others do not trust you automatically.

Are you working with a partner and would you like to use certificates? Then, you can choose to use a collective CA. Both parties trust this CA, but appropriate agreements have to be made regarding the management. The one that manages the CA has to be trusted as well.

Are you working with people externally and would you like to use certificates? Then, there are not many options to choose. If this is the case, you have to use a ‘public’ CA. You may wonder which one you should trust. Usually, a browser trusts many CA’s, but you should choose which one you want to trust. You can select the inexpensive version, but does this provide you quality? In the past, a CA has been hacked and the root certificate was for the taking. Suddenly, several websites with this certificate belonging to this CA were no longer reliable.

Martijn Bellaard has been working for TriOpSys as a lead architect for 3 years. At the beginning of 2017, he has pursued his life-long dream and has become a teacher at the Hogeschool van Utrecht. This article has been published on 03-10-2015.