With internet service providers getting hacked on a weekly basis, we should remind ourselves that the infrastructure providing secure communication between you and your favourite websites is flawed anyway. That little padlock in your address bar is provided by, what could be called, the most prominent case of “as secure as the weakest link”. Nevertheless, should we really care?

If this is not your first day on the World Wide Web, you probably came across the little padlock numerous times by now. Maybe you are even one of the well-informed users that checks for this padlock and a green background when visiting web shops or banking applications. If so, please continue doing so, some protection is still better than none.

This padlock means that you are communicating securely with that website, using a protocol called Transport Layer Security. This protocol is pretty good. Sure, from time to time it needs a revision, but it does its job wonderfully. It basically builds a tunnel through the Internet that is only accessible on your computer and on the server of the website you are visiting.

Trust: How do I Know Who is Worthy of It?
Such a secure road along the Internet is precisely what you need, but it has to be built first. To do this, one needs to know where it should go. Precisely this is the problem. Suppose that you are meeting with someone you have never seen before on the central train station in Amsterdam: how do you know that a person is who he claims to be? Maybe a friend of yours gave you a photo of that person you should be meeting, so that you know who to trust. On the Internet, the system is comparable. A website sends you a certificate that is signed by some authority you are supposed to trust. This certificate binds the critical information to build a secure communication tunnel to an identity. You just have to review this certificate and verify the signature. It is easy as that.

By now, you may start to wonder who that trusted authority might be. Well, that is the problem. There are around sixty of them, and they reside all over the world. It is not very hard to figure out that if one of them is not very secure, loads of forged certificates could be made, and any website could be imitated. Especially if you recall that, for example, the Dutch company DigiNotar was one of them and that there are more that have a shady history when it comes to security. Therefore, the hierarchical infrastructure is as secure as its weakest link, and there are enough of them to have a weak link.

Those certification authorities are selected by your vendor and embedded in their products. For example, if you use Internet Explorer, Microsoft makes this selection for you. If you use Google Chrome, you should ask Google. Of course, those companies make an effort to make good selections. Nevertheless, it is impossible to do this perfectly.

A Call for Improvement
If you have a lot of time on your hands, go to the physical locations of your favourite websites and ask them for their certificates or ask a trusted friend to do so. Maybe you could make your own selection of certification authorities in the settings of your systems. However, if you, like most people, have better things to do with your time, there are some developments coming along.

The Internet has a very large address book, which is distributed using the Domain Name system. This address book is used to translate domain names to addresses your computer is able to find. In a new effort, scientists have suggested to combine these certificates with this address book. In this case, one could securely ask this address book the certificate, which provides a stronger binding between the identity and the security information. Of course, attacks can always be thought of, but the barriers are raised to a very impractical level. To the observant reader: securely querying the address book is much easier, as this is through your internet services provider, with which prior communication is fairly easy.

Should I Care? I Download all Sorts of Rubbish Anyway
A well-known security expert once said that the common secure communication protocols are equal to sending an armoured van to bring something from a person who lives on a bench in the park to a homeless person. This is very true. A personal computer is much more likely to get compromised due to downloading behaviours, the use of outdated and unpatched software and simple deception. So, if someone wants to raid your bank account, they are much more likely to try to make you give away your account information or to install malicious software on your machine. Really, trying to eavesdrop and modify secured communication is commonly not worth the hassle.

However, if you are a very cautionary person, you may want to keep watching closely when you are communicating sensitive information. Luckily, most attacks will draw suspicion to the cautious. For example, a certificate may suddenly have changed since your last visit, or the link you are following is different from what it should be.

Just be Cautious!
The World Wide Web is like the real world. From time to time you have this gut feeling that something is wrong. So, the advice on the Internet is the same as the advice your mother used to give you: always be cautious, and do not accept candy from strange men. Yes, the infrastructure in use is fundamental flawed and, yes, improvements are coming, but if you download anything you came across, legal or not, it has no added value anyway.

2 Responses to Talking Securely with Websites is Flawed, but Who Cares?

  1. Floor Terra says:

    When you talk about sixty CA’s, you probably mean the root CA’s that most browsers and operating systems explicitly trust. There is a much larger list of intermediate CA’s that are implicitly trusted by their signing chains.

    That’s why sensitive applications like banking should not trust the the global CA pool, but limit their trust to one CA or maybe just a specific list of certificates. For random websites this is a little bit harder, but chrome has a feature called certificate pinning that does roughly this.

    It’s important to keep in mind what TLS provides; a third party promises that you are talking to party x and nobody can listen in on the communication or alter the contents without having control of one of the trusted certificates. Nothing more.

  2. You are absolutely right. I left out the hierarchical infrastructure for the sake of simplicity. Furthermore, I reckon that sixty is already too much, let alone the multitude of local authorities we have in reality, as can be seen at, for example, the EFF SSL observatory.

    I understand the direction you are heading with certificate pinning, but I also think this is not very convenient or intuitive for most users. Actually, I expect those users that understand these mechanisms are also able to tell when a certificate is fishy. Therefore, I am not very convinced by this approach for other uses than helping power users out.

    Finally, as I state, TLS works very well, and most problems with it are due to implementation or are very theoretical. Nevertheless, we also need to embed it such that we can use it to its full potential, which is why the quote of Bruce Schneier hits the nail right on the head: it is really like sending an armoured van from beneath a bridge to the park.

Leave a Reply

Your email address will not be published. Required fields are marked *