by Charles Miller

Next Thursday will be Halloween, and also the day your web browsers are going to start saying "Trick or Treat!" come midnight. The bad news is that there is no treat, and the tricks are going to keep coming and coming for months to come. The trick to which I refer is that starting at midnight on Halloween Google’s Chrome browser and probably many others will start displaying a warning that some of the web sites you visit are not secure because the SSL Certificate issued to that site is no longer trusted.

Back in the mid 1990s as the internet was becoming "a thing" there were some smart people who recognized the need for establishing secure connections that could be trusted. This led to the birth of the digital certificate that authenticates a website's identity and enables an encrypted connection between a web server and you. Secure Sockets Layer (SSL) is the security protocol designed to protect data transmitted over the internet. The creation and issuance of these certificates was entrusted to a handful of new businesses called a Certificate Authority (CA). The job of a CA is to verify the ownership of a web site and the accuracy of the information provided to register the name. Over the years three different levels of verification emerged.

Domain Validation (DV) can be nothing more than verifying the validity of someone’s email, phone number, or address, so DVs are easily obtained by criminals. Organization Validation (OV) is more stringent and might involve an applicant having to provide photo IDs and copies of legal documents that prove the legal existence of the organization applying for the certificate. Extended Validation (EV) should involve a careful and rigorous verification process. If you try to obtain a certificate for Merrill Lynch & Co. be prepared for the issuer to require an in-person meeting with Mr. Merrill or Mr. Lynch before issuing you a valid certificate for ml.com. To do less could put every investor at risk. In other words, there must never ever be an Extended Validation (EV) certificate issued to anybody other than the legal owners of that web site because being able to trust that a website is the real one and not a fake copy is absolutely essential.

There are many companies in the business of issuing certificates; anyone can do this, but not every Certificate Authority is responsible. For several years now there have been ongoing problems with the long-established CA named Entrust. The details are down-in-the-weeds technical, but suffice it to say that Entrust has been guilty of unapologetically bending the rules to the point that Google finally said "Enough!" and announced that as of midnight Halloween Entrust will no longer be trusted by the Chrome browser.

What this means for Entrust is that as its customers take their business elsewhere the company could face serious consequences. This was the case in 2011 when the misbehaving Certificate Authority named DigiNotar was quickly forced into bankruptcy when its certificates became untrusted.

What all this means to you is that as you surf the web you might soon encounter a scary full-page warning stating that a site you visit is "not secure" plus visual indicators such as a red exclamation mark in the browser’s address bar. You still have the option to ignore the warning and to proceed; just be aware if you do that you could possibly end up not on your bank’s web site but on a fake website that looks just like your bank’s site.

**************

Charles Miller is a freelance computer consultant with decades of IT experience and a Texan with a lifetime love for Mexico. The opinions expressed are his own. He may be contacted at 415-101-8528 or email FAQ8 (at) SMAguru.com.

Discover Lokkal:
Watch the two-minute video below.
Then, just below that, scroll down SMA's Community Wall.
Mission

Visit SMA's Social Network

Contact / Contactar