Self-Signed Certificates: What Makes This an Issue
We have all come across this message.....ALERT! THE SITE'S SECURITY CERTIFICATE IS NOT TRUSTED!
For a website to be secure, there needs to be a certificate associated with the website. The user will see this as the locked padlock and https (emphasis on the “s”, referring to website being secure) in the URL area of the browser. This certificate indicates a third party has taken the time and effort to verify the entity purported by the website is actually the same. For instance, if the user were to connect to a website that appears to be a major book retailer, the lock indicates that an unassociated third party has verified the website is actually from the retailer and not an attacker from another country seeking to trick the user into providing their name, address, credit card number, and any other information the attacker is able to exfiltrate from the user as a part of their social engineering plan. This represents the industry standard of having an independent, third party sign (provide) the certificate. This removes nearly all of the risk of connecting with a fake website and being tricked.
As this is provided by a third party and the ownership is verified, there has to be present in the market the entities to provide the service. In the market presently are several trusted vendors providing these certificates. Several of these are Verisign, Comodo, Globalsign, and Let’s Encrypt.
The certificates are vital and pertinent to commerce. Without these in place, anyone could place a website on the internet, and it could be misleading and fraudulent as to who it really is, and users could be defrauded and have their identity stolen. The party entering into the transaction and logging into the other website would have no guaranty with whom they are actually communicating. This is not a perfect system, and there periodically have been issues with these certificates not being handled appropriately. These however have not been a statistically significant event.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.