TLS certificates, thanks to their ability to enable encrypted communication between different parties and verify identify, are increasingly relied upon by websites and internet-based applications.
With the incidence of cyberattacks on the rise in recent years, public key encryption will remain an indispensable tool for any person or company with data or operational processes they want to keep private.
The underlying formatting and communication protocol for all computers connected to the internet today is known as the Hypertext Transfer Protocol (HTTP). HTTP’s public key encryption scheme—known as Hypertext Transfer Protocol Secure, or HTTPS—consists of having trusted authorities issue special certificates to certain businesses, organizations or website owners which verify the domain names, identities and locations of those organizations and their machines.
With these certificates in hand, organizations can carry on secure and encrypted communications with their customers and clients. This encryption is done according to one of two protocols: an older one called the Secure Sockets Layer (SSL) and a newer and more secure one called Transport Layer Security (TLS).
As clever as this encryption and verification scheme is, however, it cannot absolutely guarantee security. Nothing can. The trouble on this horizon is that, since hackers cannot crack the public key encryption provided by a TLS certificate, they have instead resorted to a sneaky way to get around it.
Recent research sponsored by Venafi and undertaken by scholars at the University of Surrey and the Evidence-Based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University reveals that there is in fact a thriving market on the Dark Web for fake, stolen or compromised TLS certificates.
The Dark Web is that seedy underbelly of the internet, the part not indexed by search engines and that has evolved into a haven for all kinds of crime and illicit behavior.
Dark Web markets—most prominently, Dream Market, according to the study—not only sell illicit, often stolen, TLS certificates, but also often bundle them with complementary tools and services, like aged domain names and web design services meant to give a fraudulent website the appearance of legitimacy.
As the study also reveals, so popular are these fraudulent certificates that they are even more popular “goods” than ransomware or zero day exploits. This means that hackers have found a way around TLS encryption protocols and can use false TLS certificates to wreak tremendous havoc.
The lifeblood of the TSL protocol lies in public key encryption. The fundamental principle of public key encryption is that for two parties to communicate securely and ensure that they are not being eavesdropped upon, they first each need two things:
The sender of a message must scramble or encrypt it using his public key—which is available to the public—and then have the recipient unscramble the message using his private key—which only the recipient has.
Only that particular private key will be able to decrypt the message encrypted by the original public key. The original recipient can then send a message back to the original sender and encrypt it with his own public key, which only the original sender’s private key can decrypt.
Because modern public key encryption is based on mathematical problems that are difficult for computers to efficiently solve, wannabe hackers and snoopers will not be able to break the encryption without the required private keys.
One of the main things that a TLS certificate enables an organization to do is to encrypt the traffic sent from its servers to the computers of its customers in such a way that only its intended customers will be able to decrypt it. This is a crucial application of the Public Key Infrastructure to internet communications.
It is crucial that the information exchanged between businesses and their customers remain private and that no outside parties be able to intercept it. It may include things like credit card numbers, bank account numbers, names, addresses and Social Security numbers of clients, and potentially much more.
TLS certificates initiate this encrypted communication through a series of “handshakes” between an organization’s computers and those of its customers. Though secure already, this technology remains a work in progress, with recent refinements to the TLS protocol making it even more cryptographically secure.
Additionally, TLS certificates play a crucial role in verifying the identities of various organizations and their computers. There are various types of TLS certificates that do this. The most coveted certificate—and the one that fetches the highest price on the dark web because it is the most difficult to acquire and communicates the most trust—is called the extended verification (EV) TLS certificate.
Before issuance, this type of certificate requires a business to provide identifying information like a DUNS number and a letter from a CPA, both meant to demonstrate that the business is legitimate. Other information about the business may be requested: physical location, trade practices, and proof of ownership of a domain name.
Other types of TLS certificates, like organization validated (OV) and domain validated (DV) certificates, provide less trust but are still valued by criminals on the dark web.
The verification process is meant to validate a company’s online identity online and the TLS certificate to provide the proof.
If hackers can demonstrably acquire forged or stolen TLS certificates, it means that all of the above security measures that businesses take online can be completely undermined by bad actors. This is concerning for many reasons, including:
Though the internet has never been a haven for truth and safety, it seems that the unfurling TLS certificate scam will continue to worsen the problem. While there are no easy answers, there are additional measures to prevent yourself from being fooled by a site guarded by a fake certificate.
The public key encryption meant to safeguard traffic between businesses and their clients online, though ingenious, has been circumvented by hackers. The TLS certificates intended to secure communication and verify the identities of businesses can now be used to do the very opposite—shield the bad guys.
With the prospect of running into false TLS certificates as you cruise around the internet a very real risk, should you continue to rely on a certificate as a mechanism to keep your information private? As former President Ronald liked to say (on a completely different topic), “Trust but verify.” That’s what we advise too.