Giving away the keys to the internet: Is HTTPS encryption still secure?

With thousands of SSL certificates wrongly issued to cybercriminals, is it still worth bothering with HTTPS?

Does the padlock icon on our web browsers still mean anything, or have certificate authorities turned HTTPS encryption into a joke?iStock

If you know anything about internet security, then you probably know that the little padlock symbol on the address bar in your web browser signifies that the website you're visiting is protected by HTTPS encryption.

HTTPS encryption is what ensures that the connection between your computer, your bank and online retailers is secure, so that no sensitive information or money from financial transactions can be stolen by cybercriminals. Sounds great. So what's the problem?

What you probably don't know is that there is a battle currently waging over certificate authorities (CAs). These are the entities that issue SSL certificates; small data files that protect users' data on websites and enable HTTPS encryption.

Advertisement

The issue is that more and more CAs are being pulled up for misissuing security certificates, either by accident, due to a security vulnerability, or due to negligence in issuing the certificates to sites run by cybercriminals.

Rising cases of CAs found wrongly issuing security certificates

For instance, in March, Google Chrome's developers announced that they would stop recognising any security certificates issued by Symantec, a well-known cybersecurity firm and one of the biggest certificate authorities on the internet.

Symantec validates 42% of all security certificates, and by blocking its certificates users won't be able to access many legitimate websites too. Google says it was pushed to take the decision because its investigation revealed that Symantec improperly issued 30,000 certificates over several years. Of course, Symantec has disputed Google's decision, insisting that Google's comments are misleading and exaggerated, and that the number of certificates misissued was only 127.

Yet this is not the only instance of SSL certificates being wrongly issued. In 2016, the CA Let's Encrypt issued 15,270 SSL certificates that contained the word "PayPal", and 96% of those security certificates were issued to domains that were hosting phishing sites (malicious websites that impersonate legitimate services to trick users into handing over account details and financial information).

Since the SSL Store's encryption experts discovered this extensive breach of Let's Encrypt free SSL certification system, Let's Encrypt has not responded. In the past, it has made it clear that it does not see itself as the police of the internet. Let's Encrypt says that its mission is to encrypt the whole internet, and if that means that some cybercriminals get encrypted too, well then the greater good outweighs the risk.

Is there still a point in securing websites using HTTPS?

"Even a single unauthorised certificate is a cause for concern. Repeated instances to that order serve to erode the trust model. Instances involving high-profile names collapse the trust as billions of people and trillions of transactions can potentially be compromised," F-Secure's chief information security officer Erka Koivunen told IBTimes UK.

"Browsers and operating systems have steadily increased the number of CAs and CA certificates that they trust by default. There should also be discussion about whether the certificate revocation process is broken. Some browsers and applications will never know if a certificate has been revoked. The well-meaning instructions to go and look for 'HTTPS://' or a padlock sign mean less and less each day as you have less and less certainty over who it is that you are communicating with over an encrypted channel. Friend or foe, who knows?"

Advertisement

Not everyone agrees with how Google is handling the situation with Symantec. On one hand, it's good to call out companies when grievous sins have been committed, but if Chrome refuses to accept authentication from Symantec-issued SSL certificates, this will hit a lot of perfectly innocent websites.

"Certificates are a key part of the system of trust that underlies the security of every machine on the Internet – there is no replacement so we really need to continue to make this system work. To do this, the tech and security industries as a whole need to work collaboratively to identify the misuse and miss-issuance of certificates. CAs have a responsibility to improve their processes but they are far from alone in carrying this burden," argues Venafi's chief cybersecurity strategist Kevin Bocek.

"CAs generally need to get better at identifying unauthorised or out of policy certificates. However, the identity of machines and use of encryption is so important that it can't be left to CAs alone, businesses must take action, responsibility and gain agility."

How can we tell if a website is really secure?

FireEye's senior intelligence account analyst Jens Monrad still feels that HTTPS has value, but it all depends on whether the SSL certificate is trusted and valid. So how can we tell?

Advertisement

"It is worth offering an encrypted communication path via HTTPS, if the issued certificate is trusted and valid, and not self-signed. Many organisations deploy self-signed certificates on their servers and infrastructure, and a lot of end users do not check who the issuer of the certificate is. This means that a weak certificate, regardless of its purpose, might generate a false sense of secure communications," he told IBTimes UK.

"The cyber security and wider tech industry is constantly trying to address the risk of fraud via certificates, as well as transactions of financial data. However, there are no solutions out there that are 100% reliable, so I would also suggest that consumers make sure to inspect if the website they are purchasing from is using a valid and trusted certificate.

"Clicking the padlock icon next to the HTTPS URL typically reveals the relevant information, where the user can quickly assess who the issuer of the certificate is and if the certificate itself is trusted."

© Copyright 2017 IBTimes Co., Ltd. All Rights Reserved.