Last year I wrote an overview of SSL and how certificates (and the fancy green lock) works. Today I’ll be following up to understand how trust works, and what happens when trust is broken. First I’ll start with some history:
SSL came about in the 1990s, and when it did, only larger companies with powerful servers could use them, because it was taxing to create secure connections. As a result, typically, certificates were trusted by default. Eventually though, computing power grew, and it became feasible for hackers to create their own certificates. If they find ways to hijack connections, they could act as a middle man, reading everything the user sent to the server and everything the server sent back, and change anything along the way.
This lead to the Certificate Authority: companies that would vouch that the certificate you were seeing was the correct one. You can read about how here. However, in order to trust that nobody was pretending to be the CA, we needed a way to get their keys securely. Luckily, the OS and browser companies take care of it.
Microsoft, Apple, and Google all create repositories filled with the certificates of certificate authorities they trust. When you update your browser or computer, they can be updated to add or remove these “root certificates.”
That second part is important, because occasionally these certificate authorities screw up, and if they screw up so bad that nobody can trust them, the ultimate punishment is to be removed from the trusted list on everyone’s computers.
This has happened before, and when one major company blocks then the others usually follow suit. This usually results in the company going out of business. It’s newsworthy now, because Google has taken steps to block Symantec because Symantec signed off on over 30,000 certificates without properly verifying them. This is big because Symantec controls 25% of the world’s certificates. Google has outlined a gradual plan to stop trusting certificates with a lifespan of longer than 9 months until Symantec can prove its cleaned up its act. This will still cause pain for Symantec customers, who now have to choose between updating their certificates every 9 months, or going with another competitor. It will cause pain for users, who will start to see certificate errors on sites they thought they could trust.
But it’s a generous and smart move from Google, as Chrome is the dominant browser now, and if they pulled the plug on Symantec then it’d look bad for them if millions of websites broke overnight. And it gives Symantec a road to recover the trust it lost.