State-run SSL certificate authorities make Congress nervous about web security

SSL certificates issued by state-run agencies could be influenced or abused by political motivations.

Congress is losing sleep over the possibility other nations could endanger web security, and now it wants the four major browser makers to weigh in. The House of Representatives' Committee on Energy and Commerce recently sent letters to Apple, Google, Microsoft, and Mozilla with questions about how the backbone of HTTPS security could be violated.

The concern is whether a government-owned SSL certificate authority (CA) could start issuing phony security certificates that look legitimate to browsers. Those certificates could then be used to harvest login details from social networks, corporate networks, and email accounts.

Although generally trustworthy, there are many examples of the SSL certificate system being compromised. Most famously in 2011, when certificate authority (CA) Diginotar was hacked and malicious actors generated hundreds of fraudulent certificates for popular sites such as Google, Skype, and Yahoo.

There are numerous government-owned CAs across the globe, including in China, France, Spain, and Turkey.

Why this matters: Most users are not even aware they exist, but SSL certificates working behind the scenes are a fundamental part of the web's security model. It's not clear whether Congress could reign in the global mess that is the SSL certificate system or if this is something best left to browser makers or CAs themselves. Nevertheless, it's fascinating and a little bit shocking that lawmakers are even wading into such an esoteric part of web security.

SSL certificates in brief

When users sign in to a secure site like Gmail, Facebook, or a bank, their browser typically displays a green lock icon in the address bar followed by https:// and then the site's URL. That green lock appears because of the SSL certificate system working behind the scenes.

There are a number of companies around the world known as certificate authorities that are trusted to issue these legitimate SSL certificates. A website owner has to purchase a cryptographically signed SSL certificate from one of these CAs. Browsers then have a list of the CAs they are willing to trust to ensure a user is connecting to the website they think they are.

If the certificate is legitimate, then the browser will allow the user to interact with the site as they normally would. If, however, the SSL certificate for that site isn't the real deal, the browser will display a warning or block the user from accessing the site entirely.

Basically, HTTPS security hinges on trusting the CAs, which also means CAs have a lot of potential for abuse.

The risks of state-run certificate agencies

What has American lawmakers worried is that a government-owned CA could start issuing fraudulent certificates for sensitive sites like email or social networking. "A government-owned CA...may issue certificates for email providers or social media sites in order to seek out political dissent," Congress' letter said.

Hackers could then use those fake certificates to create a man-in-the-middle (MITM) attack where users think they are connecting to Google or Bank of America but are actually handing their login details over to state-sponsored hackers.

Modern browsers have methods to detect potential MITM problems even with legitimate SSL certificates, but there's still a chance some users may be fooled and have their security compromised.

To defend against this possibility, Congress is asking the major browser makers whether government-owned CAs should be restricted in the kinds of certificates they issue. Instead of being allowed to issue a certificate for any site on the web, a government CA would only be allowed to issue certificates for its specific government domain. France, for example, could only issue SSL certificates for ""--"" is the French equivalent of ".gov" for American government sites.

Then if a browser saw a certificate for Twitter coming from a French government-owned CA, the browser could automatically reject that certificate as fraudulent.

Although Congress doesn't come out and say it, U.S. lawmakers are likely worried that nations like China, Iran, and Russia may try to carry out these kinds of attacks in their respective countries, as well as against U.S. interests.

Experts debate the consequences

While Congress ponders the problems with SSL certificates, security experts have also been debating the effectiveness of placing restrictions on CAs, including privately owned certificate issuers. "This is an idea that people have discussed for a long time," said Matthew D. Green, a cryptographer and research professor at Johns Hopkins University. "If it was implemented correctly it would certainly help to protect against some of the really, really bad compromises we've seen."

Kenneth White, security researcher and co-director of the Open Crypto Audit Project, isn't as convinced that a scheme like this could work. Nevertheless, he says, something needs to change. "The public CA trust system is already fundamentally broken according to many of us in the security world," White said. "I'm not sure if regulation is the right way versus the trust organizations themselves doing some sort of policing."

Currently, when fraudulent certificates start appearing online they are invalidated relatively quickly by all the major browser makers--though not always. In extreme cases, like the Diginotar hack, all certificates from that CA are blacklisted and the company may go out of business.

Although effective, the problem with blacklisting is that a fraudulent SSL certificate can still be in use for some time before anyone notices. Plus, says Green, browser makers are generally hesitant to blacklist an entire CA since it will break numerous websites around the world that people use every day.

Congress also isn't convinced that blacklisting would stop rogue certificates from being issued by a government-run CA. Thus, the idea to restrict the type of legitimate certificates that a CA could issue.

The browser makers have until Tuesday, June 23 to respond to Congress' letter. We'll have to see what the browser makers say in the coming weeks and whether Congress will (or even can) act on its concerns.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleYahooskypeGoogleMicrosoftsecurityencryptiongovernmentWebsites

More about AppleBank of AmericaFacebookGoogleHouse of RepresentativesMicrosoftModernMozillaSkypeTwitterYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place