Let’s Encrypt are right: HTTPS does not mean a site can be trusted

Preface: Let’s Encrypt is a project that aims to make SSL certificates free and easily available for anyone and everyone. Their aim is to create a more secure internet. Read all about them on their site here. Also for this article to make sense you’ll need to understand two of the types of certificates available. Domain Validation and Extended Validation. Domain Validation certificates merely make sure your connection to a website is encrypted. Extended Validation certificates are used by companies to prove to the user that you’re talking to a legitimate business as well as that your connection to the server is encrypted.

Let’s Encrypt were recently in the news as a certificate issued by them was used by a malvertising website. Despite being made aware of this, they refused to revoke the cert. Most (if not all) other Certificate Authorities would revoke any certificate that’s used maliciously in order to prevent users being misled into thinking that they’re using a legitimate website because it uses HTTPS.

If a website owner wants to prove to their visitors that they’re trustworthy, they can purchase an Extended Validation (EV) certificate. This type of certificate requires (as the name suggests) extended validation checks to be done against the person/people requesting the certificate. This proves that the organisation behind the website is valid, Domain Validation (DV) certificates do not.

Non-Extended Validation certificates typically just show a padlock to indicate the connection is secure

Domain Validation certificates typically just show a padlock to indicate the connection is secure

Extended Validation certificates tend to fill the URL bar in green and indicate that the website belongs to that of a valid entity in the case of Google Chrome, the organisation that the certificate belongs to is put into the URL bar.

Extended Validation certificates tend to fill the URL bar in green and indicate that the website belongs to that of a valid entity in the case of Google Chrome, the organisation that the certificate belongs to is put into the URL bar.

Let’s Encrypt’s argument for not revoking the certificate in question is that DV certificates should not be proof that the website or the website’s creators have good intentions. They argue that certificate authorities (CAs) are not the best people to be content watchdogs. They merely provide a method of validating that the connection between a computer and the server is secure. DV SSL certificates merely prove that your connection to the web server is encrypted and nothing else. People have been told for years to blindly trust websites merely because they have a valid SSL certificate and this is flat out wrong.

Imagine that someone you’ve never met before sent you a box with a padlock on it, they had a key and you had a key. You were then instructed to put your passport, credit cards, and bank statements into said box and post it back to them. It’s okay though because the box is locked, yes? You’re probably rightly thinking “of course it’s not okay to do that!” because it’s not. This, however, is essentially what people are doing when they trust a website because the connection between you and the website itself is encrypted rather than because you know who the person behind the website is.

You wouldn’t fall for the above analogy so why is it different on the internet? We as techies need to stop over-simplifying HTTPS to non-technically minded people. Instead of saying “that little padlock means you’re safe and you never need to worry” perhaps we should be saying “use your common sense, if you feel uneasy then close the tab and move on”.

Posted in Security and tagged , , .

Leave a Reply

Your email address will not be published. Required fields are marked *