Blog

SSL Certificates - 23,000 reasons to have one

15 December 2017

Some Key Facts

Data delivered over an unencrypted channel (HTTP ) is insecure, untrustworthy, and easily intercepted. 

  • Passive and active attackers can listen in
  • Active hackers can tamper with data
  • Active hackers can impersonate the destination
  • 80% upwards of visitors to an online store will not buy without an SSL certificate in place

The Good News

  • Google gives your website a small ranking boost if you have an SSL certificate. 
  • An SSL turns your URL from HTTP to HTTPS, and you get a security padlock preceding the URL.
  • Visitor's communications with an HTTPS website are encrypted.
  • SSL encrypts data both in the content itself and in the messaging vehicle.
  • Credit card details, passwords, and personal information are safe. 
  • An HTTPS website means that the website owner and server details have been verified as genuine.
  • You can securely use free unsecured WIFI from a cafe, for example, if visiting an HTTPS website. 

Google Chrome Browser security grading as seen on websites 

 

 

 

Google is using the carrot and stick approach to get people to adopt HTTPS as a standard by highlighting the risks and vulnerabilities of non-secure (HTTP) websites to you, and if you have a website, to the attention of your visitors who effectively boycott the website.

The carrot is security and an admittedly small boost to the rankings of websites that deploy an SSL certificate, but the certificate also gives GEO location properties.

 

Which is the dominant browser?
 

The warnings prefixing website URLs are specific to the Google chrome platform only, but as shown in the following table, it is the dominant browser on mobile and desktop devices.

 

 

 

Historically SSL certificates are more generally associated as an essential component of eCommerce websites.

 

HTTPS protects the privacy and the security of people who use your website for whatever reason.

 

An SSL certificate encrypts the data that flows between your browser and the website you are visiting.

 

This means that when you visit an HTTPS website and you fill in forms with your credit card details, name, address, phone numbers, passwords, your mother's maiden name, and all the other seemingly incidental data, the content is protected by the encryption.

 

I don't have any forms on my website, so I won't need one.

 

Nowadays, hackers, clever people, exploit information to build up aggregate profiles of individuals and companies and behavioural patterns.

 

They can do this by planting malware on your website or manipulating the website to redirect people elsewhere, or intercept traffic content and eavesdropping.

 

Malware - from the web directly to your pc

 

Another good reason to get an SSL certificate

 

Twenty-three thousand websites compromised in December 2017

 

Websites that have malware on them install malicious code onto your computer when you visit them.

This can be done when you consent to download files that are infected or by being unaware that anything has been downloaded at all.

The malware then captures and sends sensitive user data from your computer to the hackers' repository. 

 

Phishing Websites.

 

Growth in phishing and malware websites

 

720 thousand websites impersonating legitimate websites

 

There are many very sophisticated scams that request you click on a link in an email to your bank or an online store.

The destination website is, in fact, a website clone, virtually identical to that of your bank with a very similar domain name.

 

You input your login details, and the hackers have then got initial vital information.

Of course, the login details you use invariably are randomly selected digits from your password and on their own do not fully compromise you.

 

Links will take you to the genuine banking website. 

 

But you are taken directly to an "Update your password" page.

The page is branded to your bank's livery; it has warnings typical of all banking websites that urge you not to divulge your account details and which, if you click on them, will, in fact, take you to the genuine banking website.

 

But the process continues when you are requested to change your password first by inputting your current password and then by inputting your new password and confirming it. At this point, you have given the hackers access to your account and, in all likelihood, between the genuine and the new password a good chance of accessing other services you use as well.

 

Nobody has "got your back" but you:

 

"NatWest bank spat prompts web security changes."

 

As recently as 12th December this year, the Natwest Bank was operating unsecured websites.

Moreover, the websites had nominated links to "Log in" to access accounts.

 

When challenged, the bank, via their  Twitter account, apologised and promised to feed the concerns back to the tech team.

However, the bank told the BBC that they would apply for an SSL certificate, and within 48 hours, the website had HTTPS status.

 

Not just NatWest caught unawares.

Lloyds and Halifax websites accepted both HTTP and HTTPS but also similarly resolved the situation two days later.
 

Hackers actively target "high value" websites that can realise some return on investment. Still, before you assume the "I'm well under the radar" stance, the malware "bots" and scripts that are running on automatic do not make any distinction. The website is either vulnerable or not, and your everyday practices will contribute to your own security.

 

Read the BBC article at: http://www.bbc.com/news/technology-42353478 

 

 Natwest bank without an SSL certificate

 


The screenshot above, courtesy of The Wayback Machine shows the archived website on 7th December 2017 without the HTTPS prefix, and the highlighted exploitable "login" link.

 

A few days later, the image below shows the same website with the added SSL certification displaying the HTTPS.

 

Natwest adopts the https status after criticism

 


If, as a website owner, you collect data from customers during purchases, have a subscribers list, use a booking system or a blog, then these details need to be protected.

 

 

An SSL certificate acts a bit like a passport. It is a digital certificate issued by a trusted certificate authority.

This authority verifies the information submitted on an SSL certificate application is legitimate before issuing it to an identified website.

 

It authenticates the website name and the web server's identity it resides upon and verifies that the website owner is really who they claim to be.

 

When someone visits a website, the browser-ie, Chrome, Firefox, Safari, Explorer, etc., check to verify that the website is what it is supposed to be, just like passing through airport customs, but a darn site quicker.

 

It also flags up to the site visitor if all is not as it should be. The example below relates to an expired SSL certificate.

 

 

SSL encrypts data both in the content itself and in the transport mechanism used to send the data to a destination on the Internet.

 

The first of the following two images show a screenshot of our website with an SSL certificate and the information associated should you click on the padlock.

 

 

In the second image, for demonstration purposes, we have edited the code and removed the "s" from the HTTPS in the URL of an image on that page. The browser has instantly recognised that though the site is HTTPS, it is open to compromise and downgraded the security status to "information or not secure."

 

It also highlights that relevant to the image that we edited; it is now open to manipulation by a hacker.

By default, this means that every website without an SSL certificate is completely open to interference. 

 

HTTPS with minor errors uses the same indicator as HTTP

 

 

SSL certificates are only as good as the issuing Certificate authority (CA)

If the CA is compromised, has inadequate internal auditing and control systems, allows certificates to be maliciously acquired, or goes rogue, then effectively, the validity of all of the SSL certificates issued by that CA cannot be trusted.


An SSL certificate attached to a website effectively states that:

  • The website owner is as displayed on the certificate and that it has been verified.
  • The domain name/ website is also identified and associated as being hosted on a specifically identified server.
  • The data between the browser and the website is also encrypted.

 

HTTPS - Is this full-proof?

So it's one thing, knowing that all HTTP websites are vulnerable to website spoofing, server impersonation, and data interception.

The main cryptographic system that underpins the HTTPS certification system relies on the trust in the integrity of the Certificate Authorities.
Where this is compromised, and it has been, then we really are on the back foot.

Malpractice

There have been numerous instances where SSL certificates have been issued wrongly (malicious or otherwise), and they have not been detected for weeks and, in some cases, months. There are Certificate Authorities that have been shut down.

The problem is that there is no feasible, effective way to monitor SSL certificates in real-time.  

Fake SSL Certificates

In one instance, fake SSL certificates were used to impersonate numerous sites in Iran, such as Gmail and Facebook, which enabled the operators of the fake sites to spy on unsuspecting site users.

Certificate Transparency Project - 2103

In 2013 Google published an article for an experimental protocol to address flaws in the certification system.

Google created Google's Certificate Transparency Project to tackle the problems, and the 'trans' IETF WG was established to create a standard RFC (request for comments) for Certificate Transparency. 

Google established the task force to establish a "protocol for publicly logging the existence of Transport Layer Security (TLS) certificates as they are issued or observed, in a manner that allows anyone to audit certificate authority (CA) activity and notice the issuance of suspect certificates as well as to audit the certificate logs themselves." 

The intent is that eventually, clients (browsers) would refuse to honour certificates that do not appear in a log, effectively forcing CA's to add all issued certificates to the logs."

Fast - Forward to 2017

More specifically, on Dec 20th, 2017, there have been 840,037,345 entries made to the set of Certificate Transparency logs that Google monitors by Certificate Authorities logging registered SSL certificates and getting Signed Certificate Timestamps SCT's from them.

Deadline

Google has announced that all types of SSL certificates issued after April 2018 that are not CT qualified will not be trusted in Chrome.

A list of known and included Public logs can be found here and also Public logs that are "completely distrusted by Chrome and finally Public logs that Chrome has rejected  

Three additional core components complement the existing certification system in the Certificate Transparency framework.

 

1. Certificate logs

2. Certificate monitors

3.Certificate auditors

 

Certificate logs - The Certificate Authority, when issuing an SSL certificate to a domain, will register it on a public certificate log and will get a signed certificate timestamp (SCT) from the log, which will be incorporated into the SSL certificate denoting the time of issue, the identity of the Public log it was registered with and the specific certificate it was allocated to.

Certificate monitors - Monitors watch logs and retrieve updates to the logs regularly, so at certain points, the Monitor has all the data that the Log has. In addition, logs do not permit appends, i.e., the insertion of data into existing data, so "new" certificates can not be inserted and backdated.

Monitors, by the same token, when they retrieve the latest logs, including the most recent certificates, can compare that the new retrieval excepting the new certificates mirrors their own records exactly.

In addition, Monitors share data with other monitors and with Auditors.

Certificate auditors - the majority of these are actually built into the web browsers.

What happens here is that the browser visits a website and validates (via a TLS handshake ) the SSL certificate and its signature chain.

It also validates the log’s signature on the SCT to verify that a valid log issued the SCT and that the SCT was actually issued for the certificate (and not some other certificate).

Summary

Against a backdrop of increasing malware with no geographical limitations, cleverly designed phishing websites, and legitimate websites being compromised, the prudent course of action is obvious.

Good News

The certificate transparency project enjoys the support of other browsers which it is indicated are participating and will implement the same tactics as Google Chrome and the approaching deadline of April 2018 when CTA’s who do not participate in the scheme are not recognised by Google Chrome, and other browsers is a welcome milestone.

The Threat

The costs of remedying compromised websites, not to mention damaged reputations, significantly outweigh the token investment of an SSL certificate. Recent events suggest that there is still quite significant naivety at the corporate level regarding online security.

 

Index:

SSL - Secure Socket Layer

CA - Certificate Authority

CT - Certificate Transparency

SCT - Signed Certificate Timestamp

TLS - TLS Handshake Protocol. The Transport Layer Security (TLS) Handshake Protocol is responsible for the authentication and key exchange necessary to establish or resume secure sessions.

Cryptography - is the practice and study of techniques for secure communication in the presence of third parties called adversaries.

Reference sites: 

https://www.certificate-transparency.org/

https://www.chromium.org/Home/chromium-security/root-ca-policy

https://www.netmarketshare.com

https://archive.org/

 

Recent Blogs