The Hidden Infrastructure Behind Every Page

You search for a product on Google. You scroll for a little while before you find a link that seems like what you’re looking for. You click it, and are met with a warning telling you that your connection is not secure/private.

Sound familiar?

What’s Going on Here?

When most of us hear the words “digital identity,” we think of, well, our own digital identity: the pieces of information which identify us online. However, digital identity extends beyond individual people and into companies, organizations, and more.

This warning is an outward-facing peek into digital identity verification for websites—a crucial infrastructure which we unknowingly rely on every day.

Let’s Back Up

On the whole, we put a fair amount of trust into the internet: We enter our passwords; we use mobile banking; we even enter our credit card numbers and social security numbers directly into online forms. But, how do we know we can trust these websites (to the extent that we do), and how do we know that they really are who they say they are?

Unbeknownst to many of us, the internet has had a solution for this for a long time: digital certificates—specifically, secure sockets layer (SSL) certificates.

Source: PNG ALL

What is an SSL Certificate?

We’re glad you asked. An SSL certificate is a confirmation that a server (website) belongs to the person or entity which it claims to belong to, thus verifying a private and secure communication channel through which data can be transmitted.

An SSL certificate can’t be issued by just anybody (well, it could, but it wouldn’t mean much). There are trusted bodies called certificate authorities (CAs) which issue these certificates to websites, essentially verifying that they really are who they say they are, and keeping our information safe from hackers and attackers.

How Do SSL Certificates Keep Us Safe Online?

We’re about to get a little technical, so please bear with us.

Public Key Cryptography

It’s common practice for websites to encrypt data using public key cryptography.

Essentially, the “keys” in public key cryptography describe algorithms or transformations which take plaintext data (readable, plain-English data), and turn it into jumbles of seemingly-random characters, called ciphertext. This transformation is called encryption.

It’s impossible to get any meaning from the ciphertext—unless you can turn it back into plaintext, or decrypt it.

With public key cryptography, this decryption requires a second key, which when applied will turn the jumble of characters back into understandable pieces of information—plaintext. This process works both forwards and backwards, with data encrypted by the first key being decrypted by the second, and data encrypted by the second being decrypted by the first.

Source: SSL2BUY

One of these keys is the public key (hence the name, public key cryptography), and the other is the private key. The public key is available for the world to see, and the private key is private, known only by the server.

Back to the Certificates

When an SSL certificate is issued, it connects the server’s public key to their website, and lists it on the SSL certificate.

By clicking on the lock or info bubble on the left of the address bar, you can open up a window like this one that shows the server’s certificate and the CA is was issued by. This website’s certificate was issued by an intermediate authority (Sectigo RSA), which was verified by a trusted root authority (USERTrust RSA).

By clicking the “details” button, you can see more information about the certificate, including the server’s public key.

In order to begin sending encrypted data, your browser and the server establish a connection (and trust) by sending encrypted messages to each other, which of course each side has to decrypt.

So, without the right pair of keys—one public, and one private—this connection cannot be established and information cannot be sent by this channel.

Say an attacker wanted to get in as a middleman in this communication channel. A hacker could compromise the website such that between, say, a message being sent and the server receiving the encrypted data, they grab that data. Well, without the proper private key, that encrypted data they collect is useless—a meaningless jumble of characters.

Source: NordVPN

And, if they wanted to circumvent this issue by attaching a new pair of keys to the site, the SSL certificate would stand firmly in their way.

This is because the server’s public key is, again, attached to the certificate.

Then they could just forge a certificate, right?

Wrong. SSL certificates are verified by the certificate authority’s signature, which consists of the body of the certificate, encrypted using the CA’s private key. So, in order to confirm the validity of the certificate, your browser decrypts the signature using the CA’s public key to make sure that the result matches the original text of the certificate.

So, in order to get past all of these measures, a hacker would have to either (1) get their hands on the CA’s private key, or (2) manipulate the certificate from inside. In any case, they would have to hack the certificate authority.

Source: James Martin/CNET

This Has Happened Before

CA hacking is not only a concept—on multiple occasions, it’s become a headline.

In early 2011, a certificate authority called Comodo was hacked, and the hacker obtained nine fraudulent certificates, allowing them to impersonate a secure website, and collect the data transmitted using their own key pair.

But the most prominent case of CA hacking in recent history happened in August 2011, and occurred on such a large scale that it led to the downfall of the CA at the center of it, DigiNotar. In this attack, an Iranian hacker infiltrated DigiNotar’s infrastructure and issued valid SSL certificates to themselves for a number of prominent domains, including Google, Yahoo, Mozilla add-ons and more. By doing this, the hacker was able to conduct a man-in-the-middle attack, mainly focused on gmail users in Iran, and was able to intercept traffic for weeks before the attack was discovered.

What Does it All Mean?

These breaches revealed some significant cracks in the internet’s infrastructure. Whether we know it or not, we rely on certificate authorities to keep our internet activity secure—and in these cases, those same authorities were unable to protect their own security. Thus, despite improvements in the direction of security, transparency, documentation, and damage control, CAs still represent an inherent vulnerability in our online ecosystem: They are responsible for ensuring all of our security, so an attack on one can mean an attack on millions.

So where does it leave us? Human error will always exist, and the unhackable system is still only a concept, but that doesn’t mean we’re without power. In fact, just by reading this, you’ve gained some power over your own security. That’s because, cliché as it sounds, knowledge really is power here.

While much of this infrastructure is hidden, enough of it is front-facing for us to take our security into our own hands, and make better decisions ourselves.

Many of us have learned to treat the little words and symbols in the address bar like wallpaper, and some of us (not pointing any fingers) have even clicked right past those full-page warnings. When you don’t understand something, it becomes easy to disregard it, but once you know the issue and where to look, it becomes impossible to ignore.

If you like what you’re reading, be sure to applaud this story (did you know that you can hold down the applaud button and it’ll keep adding claps–it’s addictive!) and follow our channel!

What’s humanID?

humanID is a new anonymous online identity that blocks bots and social media manipulation. If you care about privacy and protecting free speech, consider supporting humanID at www.human-id.org, and follow us on Twitter & LinkedIn.