Certificate Authorities and PKI (1): Industry Self-regulatory Efforts

This lesson explores how secure web communications using HTTPS were implemented, focusing on the Public Key Infrastructure (PKI) and Certificate Authorities (CAs). It covers how industry cooperation helped develop secure protocols and digital certificates, which are essential for enabling e-commerce and secure web traffic.

1. Basics of Cryptography:

• Encryption: The process of converting plaintext into ciphertext using an algorithm and a key, so that only someone with the correct key can decrypt and read the data.

• Symmetric Encryption: Both parties (e.g., Bob and Alice) use the same key to encrypt and decrypt messages, which poses risks if the key is shared over an insecure channel.

• Asymmetric Encryption: Uses a pair of public and private keys. The public key is shared openly to encrypt messages, while the private key, which is kept secret, is used to decrypt them.

2. Problem with Asymmetric Encryption:

• Man-in-the-Middle Attack: In asymmetric encryption, an attacker can intercept communication by posing as either party, making it appear they are securely communicating, while the attacker reads or manipulates the messages.

3. Role of Certificate Authorities (CAs):

• Certificate Authorities (CAs) solve the man-in-the-middle problem by issuing digital certificates that verify the ownership of public keys. These certificates authenticate that the public key belongs to the individual or organization it claims to.

• CAs act as trusted third parties, authenticating users or websites and issuing public-private key pairs. For example, when Alice starts an e-commerce website, she obtains a certificate from a CA, which ensures that customers know they are securely communicating with Alice and not an attacker.

4. HTTPS and Secure Web Communication:

• HTTPS establishes a trust relationship or handshake between a website and a user’s browser. After authentication, an encrypted channel is created using protocols like SSL or TLS, ensuring the confidentiality and integrity of data in transit.

• Browsers check the validity of certificates using the Online Certificate Status Protocol (OCSP) to ensure that the certificate hasn’t been revoked.

5. Organizational and Market Dynamics Behind Secure Web:

• Developing secure web communication required cooperation across industries:

1. Protocol Development: The creation of secure transport protocols (e.g., SSL, TLS).

2. Certificate Authorities: CAs emerged as a profitable industry, selling SSL certificates for an annual fee.

3. Browser Manufacturers: They had to include trusted CAs in their software, enabling browsers to verify certificates.

4. Web Server Operators: They needed to implement HTTPS protocols and obtain certificates from CAs.

5. End Users: Users had to trust the process and use secure websites for online activities like e-commerce.

6. Netscape’s Role in Secure Web Development:

• Netscape, the company behind the first commercial web browser, pioneered the use of HTTPS to enable e-commerce. In 1994, Netscape introduced the SSL protocol (Secure Sockets Layer), which allowed encrypted web communication.

• In 1996, Microsoft adopted HTTPS with Internet Explorer, further driving its adoption. The IETF later standardized HTTPS with the development of TLS, which gradually replaced SSL.

7. Certificate Authorities as an Industry:

• Over time, CAs evolved into a large, multinational industry, with companies selling certificates for a range of prices. Some offer free certificates for smaller businesses, while others charge fees up to $1,000 annually.

• Root Certificate Authorities serve as trust anchors, and they can delegate trust to secondary CAs, who pay for their position in browsers’ trusted certificate lists.

8. Evolution and Challenges:

• The lesson introduces the top five CAs globally as of 2018 and notes that smaller CAs tend to dominate regional markets. However, issues and challenges with CAs, including security breaches, will be discussed in the following lesson.

Conclusion:

In this lesson, we learned about asymmetric cryptography, certificate authorities, and how they form the foundation of HTTPS and secure web communication. The lesson also touched on Netscape’s role in creating the first secure web protocol and the cooperation required across the industry to build trust in online transactions. The next lesson will continue this case study, discussing additional issues related to PKI and certificate authorities.