Logan Lembke //
Living in the information age is great, isn’t it? With just a visit to the internet you can learn what happened in London on September 2nd, 1666, what your friends are up to on the other side of the country, and even buy a new set of homemade fuzzy slippers with nothing but your credit card number, name, and address.
While you might not care who knows that you’re a bit of an English history buff or that you might have a slight Facebook addiction, you might just want to keep it a secret that you occasionally buy warm, comfy, adorable slippers from http://grandmasgiftshop.com. Even then, you definitely don’t want other people knowing your credit card information and other personal information.
Being the great IT expert you are, you quickly send an email to the owner of Grandma’s Gift Shop suggesting she enables https since you know TLS implements public key cryptography, keeping your purchases — and your slippers — secure.
Next thing you know, you receive an email from the owner informing you that she has her grandson enabling https right this very instant. ‘Awesome!,’ you think, and happily go about your day.
A week later, you visit the site and are promptly met with a notification that looks like this:
Complacently, but slightly irritated, you accept what you realize to be a self-signed certificate. Still, you go on about your business and order a pair of your favorite foot-warming slippers knowing your purchase was safely encrypted. After all, don’t you trust a grandma who spends her days making warm, comfy slippers?
A year later, you totally ruin your favorite slippers in the mud outside your house. Never fear, Grandma’s Gift Shop is still in business! You quickly decide you deserve an upgrade and happily buy a new pair of slippers.
What you don’t know is that some ne’er-do-well on the internet now knows everything about your order and has begun telling everyone what you bought! Even worse, they have your credit card information, name, and address!
Over the next week, you start to notice a few odd purchases on your credit card account, while your internet-addicted friends begin ridiculing your favorite footwear. Immediately, you cancel your card and own up to your slipper obsession.
You’ve been struck by a Man-in-the-Middle attack! Remember that self-signed certificate you accepted a year ago? Probably not. A hacker created a certificate that mimicked Grandma’s Gift Shop, jumped in the middle of your connection, and when your computer thought it was talking to the trusted server, it was really talking to the hacker’s computer. So, even though your communications were perfectly encrypted, the information was being decrypted by the hacker with ease.
This brings up two main questions:
- How do we prevent Man-in-the-Middle attacks with TLS?
- And, why are we so complacent with self-signed certificates?
The answer to the first question has been tackled time and time again, and you probably know the answer.
Say it with me: Don’t use self-signed certificates.
Signed certificates provide a mechanism for establishing a chain of trust. By placing trust in a few key certificates, and relying on their owners to correctly establish trust with others, you know you can trust the certificate at the end of the chain. But what allows for this chain of trust? Digital signatures.
Digital signatures establish one-way relationships between certificates, and best of all, hackers cannot imitate digital signatures without full access to the certificates which created them.
Thankfully there are a few options as far as obtaining signed certificates.
The first option is the traditional route: buying into a trusted certificate authority. These certificate authorities are trusted by default on most computers worldwide and work with you in order to set up your infrastructure. Trusted certificate authorities such as Digicert provide signatures for TLS certificates as long as you provide your name, address, organization name, web address, a few other pieces of information… and a boatload of money. Currently, Digicert charges $140/year for signed certificates. While any established organization can certainly swing this expense, and should certainly pay for the service, small businesses and Grandma’s Gift Shop are left to suffer.
Alternatively, get down with the free software hippie within you and visit letsencrypt.org. Let’s Encrypt provides free signed certificates that are trusted by almost all modern web browsers and operating systems. While the process needed to obtain certificates from Let’s Encrypt is technically complicated, it is well worth the work. Not only will you be able to establish secure, trusted connections with your customers, but you’ll also learn quite a bit about public key infrastructure (PKI) along the way.
When it comes to internal services, a few years ago I would have recommended setting up a self-signed root certificate for your small business or home network. From there, you could sign the certificates deployed on your servers. This setup offers protection from Man-in-the-Middle attacks so long as your would-be hacker could not access your internal root certificate. However, with the introduction of Let’s Encrypt, there is no reason to sign your own root certificate today.
Yet, there is one major exception when it comes to internal services. In order to obtain a signed certificate from Let’s Encrypt or most other certificate authorities, you must have an online web presence. (DNS plays a critical role in verifying your online identity).
While signed certificates are well within the grasp of most IT professionals, self-signed certificates continue to be used in offices across the world. But why? Largely two reasons: money and time. Now, with the recent advent of Let’s Encrypt, the list has shortened to time and time alone. As IT industry professionals, we owe it to ourselves, as well as our users, to set aside the time to learn about public key infrastructure and implement it securely across the board.
Yet, we should not only make an effort to learn about PKI, but we also need to continually teach newcomers about PKI as well. Now it’s time for you to do your part. Educate your co-workers, users, friends, and family. Take the time to email Grandma’s Gift Shop. Help educate them about public key infrastructure, set them up with a signed certificate, and build that chain of trust. Only then can you can safely order your warm, comfy – and secure – slippers.