HTTPS Secures Site Traffic From Eavesdropping, But Who Can We Trust?

10/15/2018

Encrypting data is essential in helping ensure its confidentiality. October is National Cybersecurity Awareness Month in the US and the theme for the third week is "It's Everyone's Job to Ensure Online Safety at Work". We all use encryption when we surf the web, but it is not as simple as it might seem, and that is (mostly) a good thing.

Whenever you visit a website with https in the URL, the content hosted there is encrypted. That means it is not seen by attackers. There are different types of encryption the sites can use, but that is a subject for another post. The site tells the browser or other client information about the encryption by sending it a certificate, specifically an X.509 digital certificate. That certificate contains - among many other things - the public encryption key of the server, the type of encryption used, and what the certificate is good for.

securing web applications, services and servers training

The Three Types of Certificates Used With TLS On The Web

When a browser receives a certificate from a website, it can be one of three broad types. The actual criteria for issuing each type are explained in the issuer's (the Certificate Authority or CA) Certificate Policy.

A Domain Validated (DV) certificate. In this case, the issuer of the certificate only validates that the individual or organization requesting the certificate controls the DNS for that domain, the whois for the domain, the hosting account for the domain, or email server for the domain. Quite frankly, that is pretty weak validation. This is the type of certificate that gets a little icon of a padlock on the search bar of the browser.These certificates can be issued as "wildcard certificates" meaning they can be issued for, say, "*.somedomain.com" and be used by all the hosts there.
An Organization Validation (OV) certificate. These certificates are issued when an organization can prove that it actually controls the domain. It generally has to prove that it exists, as well.Unfortunately, there is no truly standard way for a user to look at a browser and see whether the certificate used by a particular site is a DV or OV certificate. For this reason, most sites that just want encryption use a DV certificate, since it costs less to purchase.
An Extended Validation (EV) certificate. This type of certificate requires extensive validation and provides the most trust. The issuer of the certificate does significantly more rigorous checks of the applicants for these certificates. In fact, not all CAs are trusted to issue these certificates. That's because the CAs are audited and reviewed receiving permission to issue them. The criteria for approving CAs and issuing EVs are fundamentally the same around the world to ensure consistency. EV certificates may cost significantly more than OV or DV certificates (hundreds or thousands of dollars vs. tens to hundreds of dollars).Sites using these certificates are financial institutions, sites providing for online purchasing, and others that want to convey a high level of trust to users. Different browsers convey the information that the site is using an EV certificate in different ways. Most involve showing the name of the owner of the site in green.

Important note: Google Chrome has removed the green notice and will phase out the lock completely, as soon as October 2018! They are opting to notify users of sites that are not secure.

How Can This Help Keep Me And My Organization Safe At Work?

Here are three tips:

Virtually all sites today use TLS, so the lock will be locked. This includes phishing and other malicious sites. So if the site does not use an EV certificate (with the green name field), check the whole site name. Some phishers use names such as
com.evilsite.com
You may not see all of the hostname in the address bar and so you might think that you are on trustedsite.com. Always check the whole name. You should, of course, always check the whole name of any link you are about to follow before following it.
Never send confidential information such as credit card, purchase order, or financial information to a site that does not have an EV certificate.
Make sure your organization's sites use good encryption in the certificates it issues. The post I linked above about encryption has some good advice

Related Training:
Cyber Security Training

Written by John McDermott

John McDermott, CPTD, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.