Now that the whole world is using encrypted connections, our privacy becomes more important as we do more and more things online. Connections to banks, official, medical matters. On top of that, there is the Covid 19 pandemic that moved our lives even further into the online world. Nobody currently imagines that someone could eavesdrop on our transmission. Encrypted connections protect our privacy. Everyone says “we need to make it so that there is an SSL.”, but what does it really mean if something has an SSL? The following article should explain a bit.
For information, for people a bit more tech-savvy — in this article I use the SSL abbreviation as an encrypted connection of any type and version. We no longer use SSL. Or rather TLS — a new version that has replaced the old SSL. I would not like to focus on the mechanisms, how it works under the hood, but rather on what it gives to the end user.
Have you ever wondered how DNS servers work and what do they have to do with SSL? The website sejm.gov.pl allows you to open with a secured and unsecured protocol, so it is a good example for our tests. Consider this situation:
http://sejm.gov.pl/ – a website unsecured with an SSL
https://sejm.gov.pl/ – a website secured with an SSL
126.96.36.199 – the IP address of the website sejm.gov.pl
Entering the website http://sejm.gov.pl/ we will see something like this:
The inscription “Not secure” warns us about an unsecured connection, but everything is in place and the site works fine.
If we wanted to bypass DNS and go to the same page using the IP address, it would look like this:
Nothing really changes. Not a huge discovery, is it? 😊
So let’s consider an encrypted connection:
Everything works just fine.
How about without DNS?
And here we have a problem. Why is the page not loading? We are using the correct address, we are using https, so it should be ok! We take the first steps to find a bad certificate.
Hmmm, even the certificate is correct… So why won’t the browser let us in? What happens when we ignore the error and use this website? Is our connection encrypted? Is it safe?
Answering briefly to the above-mentioned questions:
- 1. Yes, the connection is encrypted. The SSL certificate itself does not have to be trusted to establish a secure communication channel between the server and the browser.
- 2. Is it safe? It depends — in this case we are safe.
- 3. In this case, by ignoring the error, we tell the browser that we want to view this page, even though its certificate does not match the address we typed into the search bar.
Then why do we need certificates?
The website we are on is verified with a certificate. The address for which the certificate was issued MUST be the same as the address in our browser address bar. Otherwise, even if the certificate is valid, we will be informed about the problems.
How does my computer know that the certificate is valid?
In the operating system, we have saved certification authorities that we trust, we can freely modify their list, e.g. add ours. Here it is important to use a system with limited privileges on a daily basis — only the administrator is able to add a new trusted certificate. So the hands-tied virus runs on a restricted account.
In the previous picture, we looked at the sejm.gov.pl website certificate, the issuer Certum Trusted Network CA was at the top of the certification path — it is trusted because it is in the store of trusted certificates of my computer.
Because the certificates are saved in operating systems, the number of companies that issue them is quite limited. Theoretically, anyone can issue a certificate for any domain, e.g. using the free OpenSSL tool, but what if we as the issuer are not trusted by others? We won’t be able to attack this way.
The website certification process itself can be simple and fast — e.g. in the case of static websites where we do not provide any sensitive data. The certificate provider then only checks whether the page for which we want to generate the certificate exists and whether it belongs to us. Free certificates for basic features have been available for purchase for some time, issued by Let’s Encrypt. It can also be more complex, e.g. in the case of banks — suppliers carefully verify whether the company exists, what the company does, and how they apply security measures. The difference can then be seen in the certificate preview, browsers distinguish these stronger certificates, e.g. by showing the name of the company for which it is issued.
Regular certificates can be certificates for a single domain, or wildcard certificates — for all sub pages at the same time, as above — *sejm.gov.pl Thanks to this, the same certificate can also be used on the website. https://posiedzenia.sejm.gov.pl, or https://poslowie.sejm.gov.pl.
Stronger certificates are always issued only to a specific domain — this significantly increases the costs of issuing certificates for many sub pages, but provides better protection when the certificate is used only in 1 place. For example, the ING Bank has a person certified for the home page and for the login page.
Why do we store and verify certificates of certification authorities locally instead of asking a trusted server if the certificate is ok?
- 1. We connect to the Internet in various places, we do not know network administrators, Internet providers, etc. It would not be wise to trust everyone that they will send our packages asking for verification to the right place.
- 2. To make changes to our computer, we must have administrator rights.
- 3. Our computer can thus detect suspicious network activity — just this discrepancy between the certificate and the website we are on. For example, if the Internet provider changed our DNS servers, or directed traffic not where we would like it — for example, a bank’s bank website. In the screen below, I redirected my traffic from pkobp.pl to wp.pl, the browser immediately picked up the trick. 😉
- 4. As a result, the network traffic is much lower
- 5. Where would it be the “internet center” that tells us that the certificate is ok? The Internet is a distributed network and in the event of failure of one region with the current solution, everything works smoothly.
SSL / TLS, apart from and all protocols based on them, provide us not only with encryption between us and the server, they also make sure that the pages we visit are the ones we want to see. They are designed to immunize us as much as possible against attacks by hackers or dishonest administrators. The above examples were based on websites, but identical processes are used, for example, when sending e-mails, connecting to application servers, etc. and in each of these cases, we should use trusted certificates, even if they sometimes cost a lot of money. When writing the program, let’s not cut corners, an SSL connection without a certificate from a trusted provider is not worth much, because anyone can redirect our traffic anywhere, and our program will accept such a certificate anyway. Anyone can issue a certificate for any domain, but not everyone can issue a trusted certificate.
Anyone can set it up and use it, and you wouldn’t want to create an account here, would you? 😉