Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

State-run SSL certificate authorities make Congress nervous about web security

Ian Paul | June 11, 2015
Congress is losing sleep over the possibility other nations could endanger web security, and now it wants the four major browser makers to weigh in. The House of Representatives' Committee on Energy and Commerce recently sent letters to Apple, Google, Microsoft, and Mozilla with questions about how the backbone of HTTPS security could be violated.

Congress is losing sleep over the possibility other nations could endanger web security, and now it wants the four major browser makers to weigh in. The House of Representatives' Committee on Energy and Commerce recently sent letters to Apple, Google, Microsoft, and Mozilla with questions about how the backbone of HTTPS security could be violated.

The concern is whether a government-owned SSL certificate authority (CA) could start issuing phony security certificates that look legitimate to browsers. Those certificates could then be used to harvest login details from social networks, corporate networks, and email accounts.

Although generally trustworthy, there are many examples of the SSL certificate system being compromised. Most famously in 2011, when certificate authority (CA) Diginotar was hacked and malicious actors generated hundreds of fraudulent certificates for popular sites such as Google, Skype, and Yahoo.

There are numerous government-owned CAs across the globe, including in China, France, Spain, and Turkey.

Why this matters: Most users are not even aware they exist, but SSL certificates working behind the scenes are a fundamental part of the web's security model. It's not clear whether Congress could reign in the global mess that is the SSL certificate system or if this is something best left to browser makers or CAs themselves. Nevertheless, it's fascinating and a little bit shocking that lawmakers are even wading into such an esoteric part of web security. 

SSL certificates in brief

When users sign in to a secure site like Gmail, Facebook, or a bank, their browser typically displays a green lock icon in the address bar followed by https:// and then the site's URL. That green lock appears because of the SSL certificate system working behind the scenes.

There are a number of companies around the world known as certificate authorities that are trusted to issue these legitimate SSL certificates. A website owner has to purchase a cryptographically signed SSL certificate from one of these CAs. Browsers then have a list of the CAs they are willing to trust to ensure a user is connecting to the website they think they are.

If the certificate is legitimate, then the browser will allow the user to interact with the site as they normally would. If, however, the SSL certificate for that site isn't the real deal, the browser will display a warning or block the user from accessing the site entirely.

Basically, HTTPS security hinges on trusting the CAs, which also means CAs have a lot of potential for abuse.

The risks of state-run certificate agencies

What has American lawmakers worried is that a government-owned CA could start issuing fraudulent certificates for sensitive sites like email or social networking. "A government-owned CA...may issue certificates for email providers or social media sites in order to seek out political dissent," Congress' letter said.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.