Supercon what a padlock does not mean

Last night I saw an advertisement on the television. This starred a rocket pack wearing ring firing robot that was a "web only offer", the advertisement was for/by Barclays Bank. Halfway through he stopped and announced that you cannot tell who you are buying from if the website doesn't have a padlock, and the goods will not arrive.

I reached for the remote. I rewound it. I watched it again. And again. And again. No, he really was just saying that.

"...It's a scam, if you order me you'll get nothing. Look in there, you need a padlock when you pay for stuff. If there isn't one, the website could be fake."

Encryption is important. It is vital as it happens. To the point that a lot of time and effort is put in to restrict its use, and figure out ways to circumvent it. Strong encryption used to be treated as a munition under law - so yeah, it's serious stuff O_O

I get that what they are trying to do, and along the way educate the masses - however, these were not solid facts.

I would never condone purchasing anything from anyone who doesn't have a website that encrypts its communications end to end. That is foolhardy. It is. There is no way around that. However working in the hosting industry you get to see all manner of FUBAR implementations - cards kept in plain text in a database, saved to files, emailed out in plain text, emailed out encrypted to a desktop, and so on.

The best approach nine times out of ten is to don the Teflon suit and duck and weave like Neo in the Matrix so that the transactions are done and handled, in full, by a payment gateway. This minimizes your exposure, liability, and need to store such data. Unless you are a bigger player - this is nirvana.

Back to the script. Let's tie this down:

"With the exception of EV certificates, an SSL certificate in no way gaurantees who you are dealing with."

in fact, I would be happy to stretch this out to also:

"In most cases it does not gaurantee that you are speaking to the same 'other-end' now as you were speaking to earlier."

An SSL certificate has one job and one job only on the whole - and that is to encrypt communications between two points. A bit of public key encryption magic and the conversation it carries can mostly be considered as secure.

In a world where fraudsters who are trying to spearfish will register very similar domains, and set them up properly with reverse DNS, SPF, DKIM, DMARC - seeing a padlock is no guarantee of "not fake".

It is one of those great misunderstandings within IT, like Firewalls and "in the cloud". This is not like me STILL harbouring the disappointment of being lied to by Mr Stevens in Physics - only to find the truth with Dr Williams informing me that gravity was 9.82m/s2 not 10m/s2 ... life was never the same. No. This is not a ballpark thing - its wrong. It's akin to saying Cars - They keep the rain off. Yes, yes they do, mostly, with some exceptions, but their purpose is transportation. Breath. Back to observation...

Things have changed a great deal in the website certificate world.

Using an exceptionally broad brush we can narrow these down into four categories ignoring all the specialist ones:

  •  Self-sign
  •  Let's Encrypt
  •  Standard certificates
  •  Extended validation certificates.

Here is the important part - at their job - end to end encryption the free ones are as secure as the most expensive ones. Fact.

So what's the deal here?

Self-sign certificates - browsers really don't like. You act as the CA, you do not have to pay anyone to sign the key to mark it as trusted. The creator of the certificate is not in the 'gang' of companies that the browser market recognise. They are however no less secure cryptographically speaking - it is just that someone who you should trust has not said "I know and vouch for this key" - this is a highly important point. So these are great for things that the world does not have general access too. Happy days. The creater of a certificate is known as a CA - a Certificate Authority.

Let's Encrypt - a CA decided to give away their golden eggs. And why not? They get to keep the Goose, right? The world is getting more and more intrusive. In line with the likes of Google preferencing sites that have SSL this is fabulous news, and assists the ideal of encryption everywhere. With these already. Reducing exposure and liabillity to everyone. Bravo for the bigger picture thinking CA's. If you can adjust a DNS record, or create a file that is accessible within your website - then you can have one.

Standard Certificates - for those who know - you might ask yourself why a company you are about to buy goods for is using a Let's Encrypt. It is a valid question. Every-man-jack and Joe-Q-public can have a padlock on their site now, for no cost, no validation - so why would you want to BUY one? Because jumping through hoops are now required. You need to confirm that the email address they have dictated is live and able to receive a confirmation email. This is an investment of time and effort.

Extended Validation Certificates - this type of certificate is the one that you will see with the company name next to the padlock. This only works for companies. They need to have a company number, their phone number needs to appear in a number of validated places, they have to confirm an email, and confirm a call on top of this. This is the ONLY type of certificate that gives you some kind of validation of who you are speaking to. The ONLY ONE.

Now I appreciate that Barclays are not likely to say that you should not buy from sites without company names next to them in green - as that simply is not fair. But suggesting that a padlock means that you know who you are dealing with is madness.

Pondering, as you do, how hard it would be to set up a fictitious company and get an EV certificate - you would be looking at change from £150 if you were so motivated. So while not easy - if you are of that mindset it is not hard either.

The rest of these appear to be pretty sound - however this one - well, admirable concept, poorly executed. To quote a colleague *TRIGGRED!*


Some links from friends trying to appease my ranting last night trying to put their points

Scott - What is an SSL Certificate from one of the CA's - proves who you are dealing iwth.... only if it is an EV certificate.

Rob - Understanding Man-In-The-Middle Attacks - Part 4: SSL Hijacking - the whole thing is a sham if someone is in the middle ... although things like mod_headers and HSTS and pinning assist with this greatly.

Thank you both, you made me think, forced me to rearticulate.

In reality, the average Joe Q Public and Josephine Bloggs, is not going to know how to test for certificate pinning, HSTS, transparent overlays, man in the middle attacks, or intensely insecure cryptography.

As much as it pains me to say this - the Google Chrome approach of becoming increasingly intolerant of things is the way to go.

This morning I thought I would try and find what Barclays had to say about it. Google presented me the following:

Your connection is not private

Attackers might be trying to steal your information from (for example, passwords, messages or credit cards). Learn more

Clicking on the ADVANCED option in chrome it went on to say:

This server could not prove that it is; its security certificate is from This may be caused by a misconfiguration or an attacker intercepting your connection.

Accepting the dodgy certificate it went to a "page not found".

After pointing, demonstrating to colleagues, laughing, sharing, it would seem this has been resolved - which I am very impressed with. But seriously?

I feel better for letting that out, putting it down on paper, and will no doubt edit to correct. Phew. Deep breath. ... it will have to work hard to sting more tham 9.82m/s2  ;o)

IMPORTANT DISCLAIMER: I am not an InfoSec, security professional, similar. I simply deal with a lot of broken things, things that can be broken, trying to stop things from being broken. I see a lot of it. Around the clock, day in day out, have a talent for spotting things going to go wrong. No more, no less.

Leave a Reply

Your email address will not be published. Required fields are marked *