SSL Certificates: Safety, Nuisance or Both?
Dec 15, 2009 4:00 AM PT
When stumbling around the Web in search of a new toaster or a great deal on a new pair of sneakers, it's not unusual for consumers to come across ominous policy dialogs warning of mismatched or expired SSL certificates. In fact, recent surveys have shown nearly 20 percent, or even more, of popular Web sites may have certificate problems that would lead to errors.
Many users ignore the often-confusing warnings entirely, research shows, trusting that a Web site's professional look or other factors mean it's the real deal. Others run scared, costing companies opportunities for exposure or sales.
So what do SSL certificates, and the "verified" icons common to many e-commerce sites, really mean? Can they be trusted? Is the risk from sites that don't have certificates really as great as some vendors might have users and their corporate clients believe?
Explaining the Technology
SSL, or secure sockets layer, allows for the secure transmission of information over the Internet. It encrypts information between client and server so that it can't be intercepted along the way.
SSL certificates are small pieces of text that reside on servers, waiting for clients to come along asking to validate the identity of the machine to which they're trying to connect, Tim Callan, vice president of marketing at Verisign, one of the leading certificate issuers, told the E-Commerce Times.
Higher-level certificates, known as "root certificates," vouch for properly formatted certificates, allowing for the establishment of a secure connection that's symbolized on most browsers with a padlock icon and a browser address that starts with "https" instead of the more common "http" prefix.
New Browser Features
The newest feature, unveiled within a last few years on major browsers, is an address bar that turns green when users visit a properly authenticated Web site that has gone through an extended validation process.
The extended validation system was dreamed up by certifying companies and the browser industry in response to concerns that bargain-basement certificate issuers had watered down the traditional padlock's brand by issuing certificates with little effort at authenticating that domain owners were who they said they were. More traditional certificates cause the bar to turn blue.
Finally, most Web sites that use SSL certificates also feature a "verified" symbol on the page itself that leads the user who clicks on it back to details about the site's certificate.
Mileage May Vary
How well those symbols work to protect users depends on the kind of certificate and even the issuer.
Some certificates, known as "domain validated certificates," simply verify domain ownership -- not identity. They involve no background checks and can be obtained, literally in minutes. Still, sites with such credentials still display the familiar padlock icon users have been trained to watch for.
The more recent extended validation system requires that businesses seeking what is now the highest level of authentication be listed on government records, that they have a physical address, that they control the domain they're trying to get a certificate for, and that the individual applying for a certificate is an employee of the business and is authorized to obtain a certificate for the company.
The standards are set by the CA/Browser Forum, an industry group that formed in 2005 to beef up certificate-issuing standards and strengthen consumer trust in Internet commerce.
Such authentication largely uses third-party data sources -- no self-reported data -- as well as direct contact with the company, said Verisign's Callan.
These types of procedures have been used more than 4 million times with no known example of one being incorrect, he said.
Still, that doesn't mean there aren't potential problems with the system.
One problem is with the verification logos many companies place on their Web sites seeking to reassure consumers they are properly certified. When clicked on, those seals typically refer back to a Web page at the certificate issuer's site displaying details about the certificate.
Many users may not know they should click on the seals, Callan said, which are easily faked for placement on illegitimate Web sites that may be seeking to defraud users.
Verisign uses a Web crawler that fully traverses the Internet each month and reports all suspected cases of misuse of the company's seal. A team reviews each instance and winds up discarding 98 percent of the matches, Callan said. Those that are using the seal improperly are first asked to remove it and may later be subject to legal action.
"We take that very seriously," he said.
Another problem is that certificate issuers can't make judgments about whether a company requesting a certificate is an honest one, or one that intends to take personal information and financial data and do ill with it, Rob King, senior security researcher for DVLabs, told the E-Commerce Times.
"The problem is that if I say I am Evil Inc. and I am, in fact, Evil Inc., it's not their job to do a value judgment on whether I am good. They're just there to determine if I am Evil Inc," he said.
Users in the Dark
Finally, users don't always do what they are supposed to do.
Despite research from Verisign showing some 60 percent of consumers know what the padlock and "https" prefix mean, a 2008 study at Carnegie Mellon University found that as many as 63 percent of test subjects couldn't properly identify the threat from certificate problems, including some who felt they were not at risk because they used Macintosh or Linux computers.
As many as 71 percent of those who understood the risks said they ignored expired certificates, while as many as 43 percent ignored certificates from unknown issuers, and as many as 19 percent ignored domain mismatch warnings.
Much of the fuss over this statem of affairs may be for naught, according to Serge Egelman, a postdoctoral researcher at Brown University who has extensively studied SSL policies, brower warnings and user behavior and worked on the Carnegie Mellon study while working toward his doctorate.
"There really isn't much risk if you look at this rationally," he said.
Because consumers pay so little attention to browser security and certificate mismatch warnings, bad apples don't need to go to the trouble of trying to set up fake or misleading certificates to trick people into giving up personal details, noted Egelman.
Modern browser technologies do make it harder than ever before for users to unwittingly fall into a trap set by a bad actor attempting to lure consumers into providing sensitive personal information they otherwise wouldn't give up.
What to Do?
However, the confusing warnings and complicated steps necessary to click through warning dialogs on some browsers, such as Google's Chrome and the latest version of Mozilla Firefox, can make it difficult for users to get to even benign Web sites with minor discrepancies where the risk of compromise is minimal, according to Egelman.
A larger problem, he said, may be that users have become accustomed to simply clicking through certificate warnings to get to where they want to go, leading to the prospect that they won't recognize legitimately problematic issues and hold back on giving up sensitive details until they're sure of what they're dealing with.
Users aren't to blame for that, Egelman said. "They're being asked to make these judgment calls that they are absolutely unqualified to make."
Researchers are looking into solutions, including making warnings more understandable and using predictive systems that can determine when a certificate problem is truly a threat -- not merely a nuisance -- and guide them silently over the bump without their input.
For now, however, the same old advice that's always applied to the Internet still applies today: Have fun, but be careful out there.