Trust issues: Know the limits of SSL certificates


Certificate authorities (CAs) have given themselves a black eye lately, making it hard for users to trust them. after discovering the CA had mis-issued thousands of certificates over several years, and researchers found that phishing sites were using . Even with these missteps, the CAs play a critical role in establishing trust on the internet.

CAs issue different types of certificates, and each type addresses a different internet security use case. Here’s what you need to understand about certificates and online trust, so you know what is happening behind HTTPS—especially now that .

How certificate authorities lost your trust

Let’s Encrypt, a free CA operated by the Linux Foundation’s Internet Security Research Group, is taking a pounding for issuing 15,270 certificates containing the word “PayPal” in either the domain name or the certificate identity. The sites using those certificates weren’t PayPal properties, and nearly all (97 percent) of the domains hosted phishing pages, said researcher and encryption expert Vincent Lynch.

A researcher earlier this year found issues with several hundred Symantec-issued certificates, prompting Google to conduct its own investigation. After discovering that Symantec allowed other parties access to its certificate infrastructure and did not oversee the process sufficiently, Google Chrome developers said they “no longer have confidence in the certificate issuance policies and practices of Symantec over the past several years.” Symantec has promised to reissue all its Transport Layer Security (TLS) certificates to comply with Google’s new validity period requirements.


But the industry can take action to raise the level of trust. Having better audit tools for certificate transparency and antiphishing filters would limit the amount of damage malicious websites can cause, for example.

Correction: This blog has been amended from its original version.