The problem of verifying identity, and being able to trust that verified identity, has only worsened as internet usage has increased, and usernames and passwords have become more valuable, says Megan Rehbock, LAWtrust, certificate service manager.
Security measures have become more sophisticated and widespread as a result, but so have cybercriminals. Public key infrastructures and Single Socket Layer (SSL) certificates offer one means for ordinary humans to trust that the site they are logging into and transacting on is secure, and is the site it purports to be.
SSL certificates are issued by Certificate Authorities (CAs) – they verify that the certificate is in fact owned by the party claiming to own it. In other words, if I try to connect to your server, your server will send my browser a certificate saying, simply put, that a certificate authority has certified that this site is the site you are looking for.
The key here is that a trusted authority has verified the site’s details including domain name, company name, address and so on.
Self-signed SSL certificates, on the other hand, can be downloaded free off the Internet and are not verified. This means they can be associated with fake identities. Because self-signed certificates look the same as the publicly trusted certificates issued by a CA, it is difficult to know what to trust.
Self-signed SSL certificates are vulnerable to Man-In-The-Middle attacks – these happen when a cybercriminal inserts themselves between a user and the site they want, such as PayPal, and serves up a certificate to the browser claiming to be PayPal.
This will lead the user to believe they are entering their login credentials into a legitimate website when they are actually being lured into giving their credentials to a criminal who will use them for their own purposes (usually they will sell credentials to another level of cybercriminal which will use them to make fraudulent transactions or enter systems illegally).
System engineers claim it is easier (and cheaper, i.e. free) to deploy a self-signed certificate but in additional to being vulnerable to fraud, self-signed certificates are difficult to manage and monitor. An expired certificate could result in a production system being vulnerable to attacks and breaches and a successful attack will cost a business reputational and financial loss.
Choosing a publicly trusted CA will ensure you are provided with reminders of when your certificates expire, and have access to discovery tools to find all rogue certificates deployed in your environment.
CA will assist users to comply with industry best practise and recommend remediation of certificates which are not compliant with things like minimum key size requirements (2048 bit length), secure hashing algorithms, maximum assigned certificate validity periods and proper certificate extensions.
CA undertake organisation/extended validation checks on the owner of the domain as well as the requester of the certificate and validate and approve both (including phoning the company concerned to establish that the requester works there and is authorised to request certificates) before any certificate is created and issued.
All CA’s are audited to ensure compliance against certificate issuing criteria that stipulated in CA Baseline Requirements and WebTrust Audits as well as Browser Audits to ensure that root certificate information is embedded and trusted in the web browser.
Given the risks of self-signed certificates and the minimal costs of publicly trusted certificates, particularly when balanced against the threat of a system breach or outage, there really is no reason not to use trusted certificates.