purpose_ssl_certificates

25 October 2022

The term “SSL Certificates” is broadly used on the internet to talk about the stuff that allows for the little lock icon when you visit a “secure” website. What does it actually mean for a website to use SSL Certificates? How protected are you? Well, let’s have a look!

A bit of context

The internet is a vast space. When you navigate the internet, your computer talks with tons of different entities. Most of them will be other computers, probably servers in a data center somewhere around the world. This compares quite easily to real life: there are lots of humans on Earth, and in life, you will be talking with all kinds of different people.

The catch is that not all people you talk to have good intentions. Some will try to manipulate you, extort money from you, or god knows what their hidden agenda may be. The internet is exactly the same. The question that then arises is the following:

How do you establish the basis for safe communication in such a hostile environment?

Well, SSL certificates are part of the answer to that question.

Let's get back to the problem in real life, and see how it was solved without any computers. In order to communicate safely with others, I like to think that there are three main areas to watch out for:

  • Knowing the identity of the person you are talking to, i.e. their name
  • Trusting the person you are talking to: if you tell them a secret, do you believe they will repeat it or use it against you?
  • Being able to have a private conversation if wanted: others will not overhear what you're talking about

Knowing who you're talking to

My focus today will be the first item on this list: identifying the person you are talking to.

So, how do you identify someone you have never met? Governments have come up with a solution for this, which is your ID Card. It gives important information about you that allows others to identify you.

You trust the info that is written on the ID card because it was delivered by a trustworthy third party: your government. If your government did its job well, it should be nearly impossible to falsify an ID card. Most of the time, this can be checked by looking at the different watermarks present on the ID card.

So when someone tells you "My name is Jack Frost", and shows you an ID card identifying him as "Jack Frost", there is a very high probability of them being who they claim to be. However, this does not mean that they are trustworthy. You only know for sure they are Jack Frost, but who knows, maybe Jack Frost is a bad guy after all.

How do SSL certificates relate to all of this?

Well actually, we have already said all that there is to be said about certificates in the previous section! How come? Well SSL certificates actually serve the same purpose as ID cards on the web. You don't believe me? Let's compare them!

The schema below shows a side-by-side view of a french ID card on the left, and of the certificate viewer in Google Chrome for https://www.padok.fr on the right. As you can see, they contain basically the same information on their respective subject.

ID_card_ssl

When you navigate to a website, your computer validates if the website has a certificate and whether it is valid and was delivered by a trusted third party. If all these checks are good, your browser will display a small lock next to the URL. Otherwise, you will get security warnings. This is the primary purpose of SSL certificates.

Similar certificate validation mechanisms are used in lots of different parts of the web. Here are a couple of examples:

  • SSH Public Key Authentication: when you connect to a server using SSH, your public key certificate is matched against a list of trusted certificates. This is similar to attending a VIP Event, and the bouncer checking your ID to see if your name is on the list of invited guests.

  • Machine to Machine authentication with mTLS: mutual TLS (mTLS) is a protocol used to restrict access to a server directly using SSL certificates. When navigating the web, your computer validates the server's identity by checking its certificate, but the server does not check your identity. It lets you access the website without any additional validation. mTLS introduces this second validation using SSL certificates.

  • SSH Host Key Verification: when you connect to an SSH server for the first time, you are asked the following question:

    $ ssh user@toto.fr
    The authenticity of host '141.95.173.6 (141.95.173.6)' can't be established.
    ED25519 key fingerprint is SHA256:hRRpRHe2SkXXXXXXXXXXXXXXXXXXXXXXXXXXXlHU34s.
    Are you sure you want to continue connecting (yes/no/[fingerprint])?

    Basically, the server is presenting you with an ID, and if you answer "yes" this certificate will be added to your trust list.

What about trust?

Knowing whether you can trust a website or not is about as hard as knowing whether you can trust a person or not. You can never really know for sure. You need to be even more careful on the internet than you are in real life because threats are around every corner.

Phishing attacks are one example of ill-intentioned people using your trust for an entity against you. Imagine you work out at a gym called StayFit, whose website is stayfit.com.

A hacker could forge a very real-looking email pointing you to stayflt.com, which would host a very similar-looking website with a very real SSL certificate guaranteeing that you are indeed visiting stayflt.com. However this is a copy of the original website, build with the goal of stealing your credentials or your credit card information.

You may have noticed: stayfit.com and stayflt.com look very very similar, but the “i” letter in the original name has been replaced by an “L” in the fraudulent one. Even though the certificate is valid, the website’s content is fraudulent. There is no magical way to prevent this kind of fraud nowadays, but being aware that these kinds of fraud happen all the time can help figure them out before it is too late.

The purpose of SSL certificates shares some of its limitations with ID cards, as they cannot express the intentions of their owner. This is up to us humans to figure out, just like in real life!

What about SSL & TLS?

I will not get into the details here, a dedicated article could be helpful to understand the topic completely. Basically, both are cryptography algorithms that are used to encrypt the messages you send to servers when navigating the internet. They allow you to basically have private conversations over the internet: what you’re talking about cannot be overheard.

The term SSL certificates is a generic term that remains when talking about certificates used for the web because certificates were created when SSL was first introduced. Actually, there are a lot of different types of certificates: RSA, ECDSA, ed25519... Certificates used for web browsing all follow the X.509 standard.

Conclusion

If there is really one thing to remember from this article, it is the analogy between a certificate and an ID card:

  • It belongs to someone (a person or a server)
  • It identifies them
  • It has been provided by a trusted third-party

They play a huge role in securing the modern web, especially since non-profit organizations have made it extremely easy to obtain one for your website securely. If you want to learn more about their role in cryptography, do not hesitate to ping us on Twitter!