Easy guide to certificate authorities

The internet has revolutionized every aspect of modern society, from business to communication to entertainment. High-speed internet access worldwide means finding the information we want is easier than ever before. But these perks come with some downsides, too.

Security issues arise when data is exchanged over the internet. The world wide web relies on trustworthy entities to keep everyone's data safe. All major web browsers, like Google Chrome and Firefox, use SSL certificates to safeguard any data sent from web servers and maintain the trust of people surfing the internet.

Certificates like SSL certificate underpin online security and privacy during our online communications. Data pinged across the internet is kept safe through encryption. Encryption scrambles the data into something completely meaningless to anyone except the intended recipient (the only party with a secret key to access the data).

You might have thought that SSL if just for e-commerce sites to protect payments. That’s no longer the case. SSL certificates are invaluable for every website - because all websites have something of value for hackers: their reputation.

Internet users today are savvy customers, recognizing when a site uses SSL. This digital certificate increases trust in a company’s website, and ultimately of the company itself. Reputation proves a compelling argument for setting up a secure site. Whether you collect data or accept payments, authentication, confidentiality, and integrity are indispensable in all cases.

Certificate authorities (CA) are entities responsible for issuing digital certificates like SSL to websites. In layman's terms, a digital certificate is an electronic password that allows exchange data securely over the web using the public key infrastructure (PKA) - which we’ll come to.

How digital certificates are issued

After an SSL certificate is ordered, the certificate authority goes about verifying the identity of the applicant. The extent of their checks depends on the level of validation required. The two most common types of validation include Organisation Validation (OV) and Domain Validation (DV).

Company validation verifies that the organization requesting a certificate is, in fact, the organization to which the certificate is being issued. The aim of domain validation is to ensure that the individual requesting a certificate has the authority to request a certificate for the domain in question.

What do they check for?

For a basic Domain Validation certificate, a certificate authority checks ownership over the domain, and if the applicant passes their checks, a certificate is issued. Organization Validation involves more stringent checks. The CA will vet the organization applying though business registration records and credit reports. These extensive checks can take up to five days. Once the CA is satisfied, the certificate is issued.

It’s then up to web browsers and devices to verify the validity of a given certificate. Something called a ‘root’ certificate is at the center of this trust model. Once a root certificate is issued by a trusted CA a web browser accepts it into its root store – this is simply a database of approved CAs that come pre-installed with a browser or device. Most operating systems operate a root store including Apple, Windows, Mozilla Firefox and so on.

Who monitors certificate authorities

The certificate authority system has one obvious flaw. It’s assumed that CA themselves are trustworthy. While this might be the case, CA’s aren’t running unregulated. They operate within a framework of rules and require third-party qualified audits through WebTrust or ETSIand to be sure they are being adhered to. They are vetted for activities which might undermine trust in their operations. Anyone operating outside of the protocols will face negative consequences.

There are two sets of rules governing CAs. First are the browsers and applications that use of SSL digital certificates. Additionally, the browsers and certificate authorities jointly set rules through guidelines and requirements. These additional rules are approved by the CA/Browser Forum, and set the standard for public certificate authorities worldwide.

Recent developments

Trust in SSL has taken a hit in recent years. Cybercriminals have increasingly targeted internet users by finding ways to issue their own certificates. As it stands, the system isn’t perfect. There have been some high-profile examples of CA’s issuing unauthorized certificates. In response, Google established a digital certificate logging system known a Certificate Transparency (CT). The new systems require that all certificate authorities log every digital certificate they issue. These logs keep tabs on digital certificate suppliers that go rogue.

The CT project helps protect Google Chrome users. Now, anyone browsing the net through Chrome happens to lands on a website with an ‘unlogged’ SSL certificate will receive a warning message that the site’s SSL certificate isn’t compliant with Google Chrome’s transparency policy and as such, might not be safe.

Certificate authorities and the future of internet security

Logging SSL certificates is just the start of Google’s plan for a safer internet. You might have read the headline “Google wants to kill the URL.” It’s a hot topic on the tech blog scene and could provide a unique opportunity for CAs going forward. To briefly summarize; Google wants to get rid of URLs in a bid to make the internet safer. The problem with URLs is that they aren’t universally understood, and hackers take advantage of this to commit cybercrime.

Google is looking to find a suitable replacement that can make browsing the internet more secure while also offering a solution for businesses to assert their identity in a way that is unmistakable to internet users.

Who can help with that? Certificate authorities. They already have the infrastructure to validate online entities and can put this to use affirming corporate and web identities. Anyone operating a business online would make ample use of the more trusted mechanism. One that confirms their authenticity to customers or users in a clearer, more visual manner.

While the big browsers have the financial resources to take on this task, building up the know-how and apparatus would take a lot of time. Authenticating identities is probably not something most of the browser community would want to take responsibility for. The most logical answer is to outsource the authentication process. Given their expertise, the CA industry seems like the most likely candidates to turn to.

You may also like

Need help? We're always here for you.

× Close