Light Dark
July 25, 2017 By Larry Loeb 3 min read
Fraud Protection
Identity & Access

In the early days of the internet, one of the first functional problems users faced was how to verify that entities on the other end of a connection were who they said they were. At first, the nebulous nature of online transactions inhibited e-commerce, since buyers feared that their payment information might be hijacked. This lack of trust precipitated the development of digital certificates.

This was not a simple task. When someone places a telephone call, they direct it to a number they already know. They have a high level of confidence that they will be connected to only that number. The internet, at that point in time, offered no such assurances. Sites didn’t know who was doing the buying, and buyers didn’t know for sure that they were connected to a valid seller. Retailers and buyers needed a method to establish trust, or the potential of e-commerce would have been totally deflated.

Public Key Infrastructure

The framework for the answer came to be known as public key infrastructure (PKI). According to IBM, PKI is “a system of facilities, policies and services that supports the use of public key cryptography for authenticating the parties involved in a transaction.” It has the cryptographic public key system as its core, where a public key is mapped to a private key held by a user.

PKI includes a certificate authority (CA) that stores, issues and signs digital certificates. It is a repository for the certificates that can revoke them if they become invalid. The registration authority verifies the actual identities of the parties seeking to store their digital certificates with the CA.

A central directory — a secure location in which to store and index keys — is also part of the PKI, and is a necessary component for high-speed use. This ties into the certificate management system that controls access to stored certificates and delivers those that are to be issued.

A certificate policy dictates how all these components interrelate, including what happens when things fail. Perhaps a certificate needs to be uncertified, for example. That gave rise to a certificate revocation list (CRL), which is just what it sounds like: a public list of all the certificates that a CA has revoked. A browser can determine whether the certificate is included on this list and ignore it accordingly.

The use of certificates gave rise to Transport Layer Security (TLS) protocol, which enables encrypted communicated between two sites. TLS is invoked when HTTPS precedes a site’s URL.

Real-Life Revocations

Real life has a way of overhauling designs. Browsers did not always check CRLs or trust the results returned to them. CRLs are large and need to be refreshed constantly — almost with every transaction. This can give users the impression that the site’s response time is slow, even if it is not.

Another mechanism to deal with this problem, the Online Certificate Status Protocol (OCSP), prompted the browser to ask the issuing CA about a single certificate only. It would then return a response about that certificate’s validity, which took less time to parse than a CRL list.

But there was an implied problem here: The CA would be able to track what sites you were looking at based on OCSP requests. Worse, there was no binding contract present, so the organization would be free to sell that information to a third party without your consent.

Stapling and Certificate Transparency

Some developers thought that attaching the OCSP response to the certificate would fix this problem, since it would be there all the time and not yield a browser’s URL requests to a CA. But an attacker might not want this information to be attached to a certificate. That’s what the Must-Staple flag is for. When a certificate is requested from a CA, a user can require that stapling always be present. If that stapling is not present, the user can assume that the certificate has been revoked and the browser will reject it.

There’s another problem here: What if the CA has been breached or is functioning poorly and issuing rogue certificates? The solution was a CA requirement called certificate transparency, which will be mandatory in certain browsers next year. It is designed to notify a site operator if any certificates are issued for a domain under his or her care. It’s not perfect, but can help to sound the alarm if something goes wrong with the issuance process.

Re-Evaluating Digital Certificates

Revocation of existing certificates has become complex and indeterminate. Symantec, one of the earliest CAs, experienced a massive problem when Chrome moved to invalidate certificates issued by the company. Symantec’s application program interfaces (APIs) were thought to be at fault here, but the net result was the same: Trust was not assured through the use of a certificate.

The entire topic of certificates may need to be re-evaluated. Use cases have become complex and time-consuming. There is no true guarantee of trust, though certificates are a good first step. The internet at large will have to come to terms with how certificates are used and issued in the real world to determine whether the benefits outweigh the risks.

 |  |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from Fraud Protection
October 30, 2023

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

August 23, 2023

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

August 17, 2023

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature