CA Trust: Risks & Checks

TL;DR

Certificate Authorities (CAs) are essential for secure websites, but they aren’t perfect. Mistakes happen, and CAs can be compromised. You can’t completely trust a CA, but you can take steps to reduce your risk by checking certificates, using Certificate Transparency logs, and employing robust security practices.

Understanding the Role of Certificate Authorities

Certificate Authorities (CAs) issue digital certificates that verify a website’s identity. When you connect to a secure website (HTTPS), your browser checks this certificate to ensure it’s legitimate. This process relies on trust – you’re trusting the CA to have properly verified the website owner before issuing the certificate.

Why You Can’t Completely Trust CAs

1. Human Error: CAs are run by people, and people make mistakes. A certificate might be issued to the wrong person or for an incorrect domain.
2. Compromised CAs: If a CA’s systems are hacked, attackers could issue fraudulent certificates allowing them to impersonate websites.
3. Mis-issuance: Sometimes, CAs may incorrectly follow procedures and issue certificates without proper validation.
4. Rogue Insiders: A malicious employee at a CA could intentionally issue unauthorized certificates.

Steps to Improve Your Trust & Security

1. Check the Certificate Details: Before entering sensitive information on a website, always check the certificate details in your browser.
   • Click the padlock icon in your browser’s address bar.
   • Look for “Issued to” – does it match the website you expect?
   • Check the “Valid from” and “Valid to” dates – is the certificate current?
   • Examine the “Issuer” – is it a well-known, trusted CA?
2. Use Certificate Transparency (CT) Logs: CT logs are publicly available records of all certificates issued by CAs. They help detect mis-issued certificates.
   • Most modern browsers automatically check CT logs. You usually don’t need to do anything directly, but you can use online tools to verify a certificate’s presence in CT logs (see ‘Resources’ below).
3. HSTS (HTTP Strict Transport Security): HSTS forces your browser to always connect to a website using HTTPS. It helps prevent man-in-the-middle attacks.
   • Websites enable HSTS by sending a specific header in their responses. Your browser remembers this setting and automatically redirects HTTP requests to HTTPS.
4. Public Key Pinning: This is an advanced technique where you explicitly tell your browser which certificates or CAs it should trust for a particular website.
   • This adds another layer of security, but can be complex to implement and maintain.
5. Stay Updated: Keep your browser and operating system up-to-date. Updates often include security fixes that address vulnerabilities related to certificate validation.
6. Be Wary of Unusual Warnings: Pay attention to any warnings your browser displays about certificates. Don’t ignore them!
   • If you see a warning like “Your connection is not private,” proceed with extreme caution.

Checking Certificate Information from the Command Line (Advanced)

You can use OpenSSL to inspect certificate details directly.

openssl s_client -connect example.com:443

This command will output a lot of information, including the certificate chain and validation status. Look for errors or inconsistencies in the output.

Resources

• Certificate Transparency Search: https://crt.sh/
• SSL Labs SSL Server Test: https://www.ssllabs.com/ssltest/ (Tests HSTS and other security features)