Offensive Security

The History of SSL/TLS: Part 2 – TLS Certificates

The History of SSL/TLS: Part 2 – TLS Certificates

SSL and TLS protocols are the most commonly used protocols on the Internet – and it is thanks to them that we can surf the Internet safely. They are also the ones who turn the “http” in our address bar into “https“. After we dealt with the basics of TLS and SSL in the first part of this series, we want to focus on TLS certificates in this part.

TLS Certificates – Basics

As already discussed, the TLS/SSL protocol serves among other things to ensure the authenticity of the connection. This means that the web browser of a user can be sure that he really talks to a web page when he calls it. Certificates are used for this verification when establishing a connection. This can be imagined as an identity card which the website shows before visiting to identify itself to the browser.

This serves to ensure that no attacker can impersonate Sparkasse-gelsenkirchen.de, as no one except www.sparkasse-gelsenkirchen.de is issued a valid certificate. Like every identity card, every TLS certificate is issued by a higher authority. This means that we do not have to trust the issuing “authority” to issue a second certificate for www.sparkasse-gelsenkirchen.de..

TLS certificates – trust is the cornerstone

TLS Certificates of the Website www.sparkasse-gelsenkirchen.de
TLS Certificates of the Website www.sparkasse-gelsenkirchen.de

A certificate now consists not only of a single certificate but of a chain. This is called the Certificate Chain. In the graphic shown here you can see the certificate chain of the certificate for www.sparkasse-gelsenkirchen.de. This TLS certificate was signed by the certification authority DigiCert with its “DigiCert SHA2 Extended Validation Server CA” certificate. This is called an Intermediate or Intermediate Certificate. Since two elements do not constitute a chain yet, this Intermediate Certificate can also be issued by other Intermediate Certificates, even if this is rarely the case. However, the end of the chain always represents a root or root certificate. These are the basis of trust on the web, as they are stored in all our web browsers.

When we reinstall our web browsers, they trust a lot of different certificate issuers, including the aforementioned DigiCert. Only a small part of these exhibitors are government organizations, most of them are companies. In the graphic below we can see a short excerpt of the exhibitors that the Firefox web browser trusts.

Root TLS Certificates in Firefox
Root TLS Certificates in Firefox

 

TLS certificates – trust is good, control is better

It must be clearly stated that the security of the TLS and SSL protocols is fundamentally based on the root certificates and exhibitors stored in the web browser. Should they be hacked or decide to abuse their power and impersonate themselves as Google or Sparkasse Gelsenkirchen they would be able to do so.

This problem has been known for quite some time and a lot is being done about it. So a user can delete exhibitors which he does not trust manually from the list illustrated above. Even if we would recommend this only to very technically versed readers. Another project which is supposed to reveal the misuse of certificates are the Certificate Transparency Logs which are significantly developed and promoted by Google. These logs record all issued certificates and thus report any misuse.

The history of TLS and SSL

In the next part of this series we want to look at the origin of the first web encryption in the NetScape browser, SSL version 1. There are some interesting stories to tell about this never-before-seen protocol. So in order to stay up to date, it’s best to follow us at Twitter,

Photo of author

Vincent Reckendrees

Hallo, ich bin Vincent Reckendrees und leite das Team Offensive Services bei der AWARE7 GmbH. In meinem Bachelor und Master Studium habe ich mich auf IT-Sicherheit spezialisiert und BSI zertifizierter IS-Penetrationstester. Meine Leidenschaft gilt Reverse Engineering, Hardware- und Web-Sicherheit. Als Experte für Penetrationstests finde ich Schwachstellen in Systemen und Netzwerken und nutze sie, um realistische Cyberangriffe zu simulieren und Sicherheitsmaßnahmen zu verbessern. Durch Reverse Engineering entdecke ich Fehler und Verbesserungsmöglichkeiten in Software und Hardware. Meine Fähigkeiten in Hardware- und Web-Sicherheit ermöglichen es mir, physische Geräte und Online-Plattformen vor einer Vielzahl von Cyberbedrohungen zu schützen und ihre Integrität und Zuverlässigkeit zu gewährleisten.