TLS certificates, thanks to their ability to enable encrypted communication between different parties and verify identify, are increasingly relied upon by websites and internet-based applications.
With the incidence of cyberattacks on the rise in recent years, public key encryption will remain an indispensable tool for any person or company with data or operational processes they want to keep private.
Encrypting the internet
The underlying formatting and communication protocol for all computers connected to the internet today is known as the Hypertext Transfer Protocol (HTTP). HTTP’s public key encryption scheme—known as Hypertext Transfer Protocol Secure, or HTTPS—consists of having trusted authorities issue special certificates to certain businesses, organizations or website owners which verify the domain names, identities and locations of those organizations and their machines.
With these certificates in hand, organizations can carry on secure and encrypted communications with their customers and clients. This encryption is done according to one of two protocols: an older one called the Secure Sockets Layer (SSL) and a newer and more secure one called Transport Layer Security (TLS).
The Dark Web enters the game
As clever as this encryption and verification scheme is, however, it cannot absolutely guarantee security. Nothing can. The trouble on this horizon is that, since hackers cannot crack the public key encryption provided by a TLS certificate, they have instead resorted to a sneaky way to get around it.
Recent research sponsored by Venafi and undertaken by scholars at the University of Surrey and the Evidence-Based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University reveals that there is in fact a thriving market on the Dark Web for fake, stolen or compromised TLS certificates.
The Dark Web is that seedy underbelly of the internet, the part not indexed by search engines and that has evolved into a haven for all kinds of crime and illicit behavior.
Dark Web markets—most prominently, Dream Market, according to the study—not only sell illicit, often stolen, TLS certificates, but also often bundle them with complementary tools and services, like aged domain names and web design services meant to give a fraudulent website the appearance of legitimacy.
As the study also reveals, so popular are these fraudulent certificates that they are even more popular “goods” than ransomware or zero day exploits. This means that hackers have found a way around TLS encryption protocols and can use false TLS certificates to wreak tremendous havoc.
The lifeblood of the TSL protocol lies in public key encryption. The fundamental principle of public key encryption is that for two parties to communicate securely and ensure that they are not being eavesdropped upon, they first each need two things:
A public key
A private key
The sender of a message must scramble or encrypt it using his public key—which is available to the public—and then have the recipient unscramble the message using his private key—which only the recipient has.
Only that particular private key will be able to decrypt the message encrypted by the original public key. The original recipient can then send a message back to the original sender and encrypt it with his own public key, which only the original sender’s private key can decrypt.
Because modern public key encryption is based on mathematical problems that are difficult for computers to efficiently solve, wannabe hackers and snoopers will not be able to break the encryption without the required private keys.
Encrypting web traffic
One of the main things that a TLS certificate enables an organization to do is to encrypt the traffic sent from its servers to the computers of its customers in such a way that only its intended customers will be able to decrypt it. This is a crucial application of the Public Key Infrastructure to internet communications.
It is crucial that the information exchanged between businesses and their customers remain private and that no outside parties be able to intercept it. It may include things like credit card numbers, bank account numbers, names, addresses and Social Security numbers of clients, and potentially much more.
TLS certificates initiate this encrypted communication through a series of “handshakes” between an organization’s computers and those of its customers. Though secure already, this technology remains a work in progress, with recent refinements to the TLS protocol making it even more cryptographically secure.
Additionally, TLS certificates play a crucial role in verifying the identities of various organizations and their computers. There are various types of TLS certificates that do this. The most coveted certificate—and the one that fetches the highest price on the dark web because it is the most difficult to acquire and communicates the most trust—is called the extended verification (EV) TLS certificate.
Before issuance, this type of certificate requires a business to provide identifying information like a DUNS number and a letter from a CPA, both meant to demonstrate that the business is legitimate. Other information about the business may be requested: physical location, trade practices, and proof of ownership of a domain name.
Other types of TLS certificates, like organization validated (OV) and domain validated (DV) certificates, provide less trust but are still valued by criminals on the dark web.
The verification process is meant to validate a company’s online identity online and the TLS certificate to provide the proof.
What hackers can do with forged TLS certificates
If hackers can demonstrably acquire forged or stolen TLS certificates, it means that all of the above security measures that businesses take online can be completely undermined by bad actors. This is concerning for many reasons, including:
Hackers can set up convincing-looking fake websites posing as legitimate businesses—even long-established legitimate businesses—and fool unsuspecting people into sending them their private information.
Because of the encryption accompanying the TLS protocol, when hackers fool people into visiting their fake websites, the traffic exchanged between them and their victims is encrypted, thus difficult to detect or stop.
TLS certificates are typically issued by organizations called Certificate Authorities (CA), which begs the question, are some CAs to blame for the convincing and effective false TLS certificates available on the Dark Web? It wouldn’t be the first time an entity with power abused it.
Though the internet has never been a haven for truth and safety, it seems that the unfurling TLS certificate scam will continue to worsen the problem. While there are no easy answers, there are additional measures to prevent yourself from being fooled by a site guarded by a fake certificate.
Type it in: A method so simple it’s often overlooked. If you’re going to a website where you intend to divulge personal information, type the address directly into the URL and hit “enter.” Then check the domain once you’ve arrived to make sure it is where you wanted to go and not a subtle variation. For example:
Encrypt the Encryption: More than one-quarter of internet users now access the internet through a virtual private network (VPN). Installing and resolving to only go online with one of the top VPN services adds another layer of encryption to your browsing activities. Like SSL and TLS, it’s not a perfect technology but will increase your online security and privacy.
What to take away from all of this
The public key encryption meant to safeguard traffic between businesses and their clients online, though ingenious, has been circumvented by hackers. The TLS certificates intended to secure communication and verify the identities of businesses can now be used to do the very opposite—shield the bad guys.
With the prospect of running into false TLS certificates as you cruise around the internet a very real risk, should you continue to rely on a certificate as a mechanism to keep your information private? As former President Ronald liked to say (on a completely different topic), “Trust but verify.” That’s what we advise too.