Commercial certificate authorities

To make this magic work, you need to install a security certificate onto your web server. The certificate serves two purposes:

  • It contains the public key that's needed to set up an asymmetric key-exchange session.
  • Optionally, it can verify the identity of, or authenticate, your website. So, for example, users can theoretically be sure that they're connected to their real bank, instead of to Joe Hacker's Bank of Crooks and Criminals that's disguised as their bank.

When you shop for a certificate, you'll find quite a few vendors, which are all referred to as certificate authorities, or CAs. Most CAs, including vendors such as Thawte, Symantec, GoDaddy, and Let's Encrypt, among others, offer several different grades of certificates. To help explain the differences between the grades of certificates, here's a screenshot from the GoDaddy site:

At the top of the list, at the cheapest price, is the Standard SSL DV offering. Vendors advertise this type of certificate as for use where all you really care about is encryption. Identity verification is limited to domain verification, which means that yeah, records for your site have been found on a publicly accessible DNS server.

At the bottom, we see the Premium SSL EV offering. This is the top-of-the-line, highest-grade certificate that certificate vendors offer. It's currently priced lower than the mid-grade organization validation offering, but that's only because of the 50% off sale. With this extended verification grade of certificate, you have to jump through some hoops to prove that you are who you really are and that your website and your business are both legit. When you install this type of certificate, you get that High assurance green address bar to show up in your customers' web browsers.

So, just how good is this Premium SSL EV certificate with rigorous identity testing? Well, not quite as good as I thought. This morning, two days after I wrote the explanation about the different types of certificates, I received the latest edition of the Bulletproof TLS Newsletter from Feisty Duck Publishing. The big news is that Google and Mozilla plan to remove the green high assurance bar from future editions of Chrome and Firefox. Their reasons are as follows:

  • The green high assurance bar is meant to help users avoid phishing attacks. But for that to be useful, users have to notice that the high assurance bar is even there. Studies have shown that most people don't even notice it.
  • Ian Carrol, a security researcher, questions the value of extended validation certificates. As an experiment, he was able to register a bogus certificate for Stripe, Inc., which is a legitimate company. The certificate vendor finally did notice their mistake and revoked the certificate, but it's something that shouldn't have happened in the first place.
  • On top of everything else, it's also possible to register extended validation certificates with incorrect information. This indicates that the verification process isn't quite as thorough as the certificate vendors would have us believe.

But in spite of these occasional problems, I still believe that extended validation certificates are useful. When I access my bank account, I like to believe that extra identity verification is never a bad thing.

Something else that's rather curious is that certificate vendors market their certificates as SSL certificates. Don't be fooled, though. As long as the website owners configure their servers correctly, they'll be using the more secure TLS protocol, rather than SSL.

Let's Encrypt is a fairly new organization that has the goal of ensuring that all websites everywhere are set up with encryption. It's a worthy goal, but it has also introduced a new problem. The following screenshot shows the Let's Encrypt website:

To obtain a certificate from one of the traditional vendors, you have to use the OpenSSL utility to create your keys and a certificate request. Then, you'll submit the certificate request, proof of identity if applicable, and your payment to the certificate authority. Depending upon which grade of certificate you purchase, you'll have to wait anywhere from one to several days before you get the certificate.

Let's Encrypt is totally free of charge, and you don't have to jump through hoops to get the certificate. Instead, you configure your web server to automatically obtain a new Let's Encrypt certificate each time you set up a new website. If Let's Encrypt sees that your new site has a valid record on a publicly accessible DNS server, it will automatically create and install the certificate on your server. Other than having to configure your web server to use Let's Encrypt, it's no fuss, no muss.

The problem with Let's Encrypt is that it's even easier to abuse than the extended validation certificates. Shortly after Let's Encrypt began operation, criminals began setting up domains that appeared to be subdomains of legitimate business websites. So, people see that the website is encrypted and that the domain name seems to be legit, and they merrily enter their credentials without giving things a second thought. Let's Encrypt is handy and useful for legitimate purposes, but be aware of its downside, too.

Before you choose a certificate vendor, do some research. Sometimes, even the big name vendors have problems. Not so long ago, Google removed Symantec from Chrome's list of trusted certificate authorities because Symantec had allegedly violated industry best practices several times. That's rather ironic, considering that Symantec has had a long history of being a trusted vendor of security products.

Now that we've covered the basics of SSL/TLS encryption, let's see how to implement it with the OpenSSL suite.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.253.152