SSL and TLS protocols are the most commonly used protocols on the Internet – and it is thanks to them that we can surf the Internet safely. They are also the ones who turn the “http” in our address bar into “https“. After we dealt with the basics of TLS and SSL in the first part of this series, we want to focus on TLS certificates in this part.
TLS Certificates – Basics
As already discussed, the TLS/SSL protocol serves among other things to ensure the authenticity of the connection. This means that the web browser of a user can be sure that he really talks to a web page when he calls it. Certificates are used for this verification when establishing a connection. This can be imagined as an identity card which the website shows before visiting to identify itself to the browser.
This serves to ensure that no attacker can impersonate Sparkasse-gelsenkirchen.de, as no one except www.sparkasse-gelsenkirchen.de is issued a valid certificate. Like every identity card, every TLS certificate is issued by a higher authority. This means that we do not have to trust the issuing “authority” to issue a second certificate for www.sparkasse-gelsenkirchen.de..
TLS certificates – trust is the cornerstone
A certificate now consists not only of a single certificate but of a chain. This is called the Certificate Chain. In the graphic shown here you can see the certificate chain of the certificate for www.sparkasse-gelsenkirchen.de. This TLS certificate was signed by the certification authority DigiCert with its “DigiCert SHA2 Extended Validation Server CA” certificate. This is called an Intermediate or Intermediate Certificate. Since two elements do not constitute a chain yet, this Intermediate Certificate can also be issued by other Intermediate Certificates, even if this is rarely the case. However, the end of the chain always represents a root or root certificate. These are the basis of trust on the web, as they are stored in all our web browsers.
When we reinstall our web browsers, they trust a lot of different certificate issuers, including the aforementioned DigiCert. Only a small part of these exhibitors are government organizations, most of them are companies. In the graphic below we can see a short excerpt of the exhibitors that the Firefox web browser trusts.
TLS certificates – trust is good, control is better
It must be clearly stated that the security of the TLS and SSL protocols is fundamentally based on the root certificates and exhibitors stored in the web browser. Should they be hacked or decide to abuse their power and impersonate themselves as Google or Sparkasse Gelsenkirchen they would be able to do so.
This problem has been known for quite some time and a lot is being done about it. So a user can delete exhibitors which he does not trust manually from the list illustrated above. Even if we would recommend this only to very technically versed readers. Another project which is supposed to reveal the misuse of certificates are the Certificate Transparency Logs which are significantly developed and promoted by Google. These logs record all issued certificates and thus report any misuse.
The history of TLS and SSL
In the next part of this series we want to look at the origin of the first web encryption in the NetScape browser, SSL version 1. There are some interesting stories to tell about this never-before-seen protocol. So in order to stay up to date, it’s best to follow us at Twitter,
Sevencast – der IT-Security Podcast
Von unterwegs, im Büro oder zu Hause hören und auf dem aktuellen Stand bleiben!