What are the security impacts of a website that has an invalid certificate?
Many Brazilian government websites usually do not have valid security certificates. Examples:
Https://www.ibama.gov.br / (expired validity)
https://www.ibge.gov.br / (self-signed, invalid URL)
https://www.funai.gov.br / (self-signed)
https://www.brasil.gov.br / (CA unknown: ICP-Brazil)
https://www.senado.gov.br / (CA unknown: ICP-Brazil, invalid URL)
In most cases the browser says that the "certificate authority root certificate is untrusted", and still others are simply with expired validity. This situation is unusual on commercial sites, but from time to time also top with one of these. And of course, I myself have some difficulty maintaining the sites I always manage with valid certificates.
Is a site required to have a valid certificate for communication with it to be secure? Why? Something these Government websites have very important functions (e.g.: Federal Revenue, Ministry of Labor, Siape...), is it safe to continue using them despite the security alert displayed? (some even get to instruct the user to ignore these alerts)
I have already been suggested (by my old hosting provider) to use certificates cacert.org instead of a self-signed, as they "are not yet recognized by Major browsers , but many systems already accept " (i.e. is still invalid!). Would that be an acceptable practice? Can I just tell my users to ingest the security alert and that's it, just like these Government websites do? What impacts does an invalid certificate have on the security of a website?
3 answers
Is a site required to have a valid certificate for communication with it to be secure? Why?
Yes, it is. Any and all requests made on top of SSL requires a key that is contained within the certificate. The request content is encrypted on the server and sent to the client, which decrypts the request using the certificate key.
When there is any issue with the certificate (untrusted, expired, etc.) the inviolability of communication is not guaranteed:
- if the certificate is untrusted, it means that there is no way to ensure that the key of this certificate is actually protected, as there is no way to guarantee the integrity of the certificate authority, and that it can be reproduced in a fake certificate, which causes an attacker to obtain the content of their requests and that they can decrypt]}
- if the certificate has expired, it means that for some process, some attacker may manage to break the encryption and get the key. There are some methods for this. Particularly, breaking SSL is complicated and time-consuming, but not impossible.
Certificate Authorities have their own certificate, which is called the root certificate. The main certificates of certifying authorities are distributed by internet browsers.
Would this be an acceptable practice? [use do certificates cacert.org]
If you have a website that deals with sensitive information, such as very sensitive data, of financial, governmental or corporate importance, no, because browsers do not distribute the root certificate of the CACert.org, and that therefore makes CACert an unreliable certificate authority.
For sites where security is required, but not at a more critical level, I see no problems. CACert uses a method of a trust network between the entire community, that is, if any certificate is reported as invalid by someone in the community, the certificate is no longer accepted by the community.
Can I just tell my users to ingest the security alert and that's it, just like these Government websites do?
Should not. Similarly speaking, it is as if you have a queue of people to enter an age-restricted place and do not check if their documents are true or No.
Although SSL interception is not common in Brazil, it is still a security problem.
What impacts does an invalid certificate have on the security of a website?
It does not guarantee inviolability of the request because it does not meet the security requirements of the SSL standard. That is, it is not guaranteed that the information circulating between you and the server cannot be intercepted and read.
If a website is intended for the general public, the only way to ensure the authenticity of the communication without manual intervention is through a valid certificate. Using an invalid certificate is only marginally better than not using anything - because it reduces the chances of anyone on the network monitoring (eavesdrop) communication without anyone noticing, especially on open networks like public wi-fi.
Clarifying: even with an invalid certificate the communication client / server is confidential and intact (as the communications channel is properly encrypted). One can only not be sure that you are communicating with the right server... See Question " How does HTTPS (SSL) work?" for more details.
A Gypsy answer already touches on the main points (including in problem of installing new root certificates manually in browser ). I will just supplement with the last item no mentioned:
Is it safe to continue using them despite the security alert displayed?
In general, no, because as explained "browsers do not distribute the root certificate of the CACert.org, and that therefore makes CACert an unreliable certificate authority". The same goes for ICP-Brazil. Without knowing if the root certificate is reliable, there is no way to differentiate between the authentic certificate and a forged one. And even if the user manages to get it in some other way the true certificate, "the correct would be to guide the user to install the CACert root certificate on his machine".
To make matters worse, many government websites do not even use ICP-Brazil, but rather a self-signed certificate. The reasons for this are unknown, but the fact is that some of these sites need to be accessed to perform sensitive operations, and you can not do opt-out (a recent example is eSocial, although this falls in the previous case of ICP-Brazil).
What to do then? Currently, not much, but there are a few options:
- open the site on a few different days, on a few different computers, and check the fingerprint of the same (your signatures). When you are confident that there are no problems with the certificate - i.e. the same certificate was displayed every time, and there were no reports of invasions in that period-add an exception for that specific certificate, so that future visits will no longer show the security alert. If the certificate changes, stay tuned and repeat the process, as it can be only a periodic change (e.g. the old one is about to expire) but it can be an interception attempt;
- Note: This can be done both self-signed pros and anchored pros in ICP-Brazil.
- do the same with the ICP-Brazil root certificate, or maybe try to get it by a more secure means, and then install it in the list Certification Authorities. It is a more "extreme" form of the previous one - because in doing so one starts to trust ICP-Brazil as much as the other CAs, which allows them to sign certificates for arbitrary domains;
- Note: The X. 509 standard has a feature called "Named Constraints", what at first would allow the user to rely on a specific CA only to issue certificates for some specific domains - such as ICP-Brazil only for sites
.gov.brand no other. However due to misuse of the certification system by servers and browsers, this measure may be ineffective in practice...
- Note: The X. 509 standard has a feature called "Named Constraints", what at first would allow the user to rely on a specific CA only to issue certificates for some specific domains - such as ICP-Brazil only for sites
- use a different certification model. The project Convergence, for example, uses a set of "notaries" to jointly determine the authenticity of a website. The idea is that while running a single MitM is feasible, doing multiple simultaneously and in different parts of the internet is much more difficult. In this way, a user could when viewing a certificate automatically check with one or more notaries if they are also seeing the same certificate, and if all (or most, it is configurable) agree, then we are probably connecting with the right site. Unfortunately, by the time I write this answer, this project is kind of dead...
But the very ideal, for those who are making available a website that need or would benefit from encryption, is to obtain a certificate from one of the globally recognized CAs. For despite all the problems is the safest way we have available to the general public, without relying on complicated and risky manual settings.
Look as answered previous answered the digital certificate has the following functions:
- integrity: proves that the data has not changed
- authenticity: proves the authorship of the person
- security: message cannot be read If you do not have the key
- no repudiation: the person who sent has no way of disputing that he did not send
Many Brazilian government websites usually do not have security certificates valid
This happens because the certificate has expired and has been exchanged.Example: The ICP has had its certificate expired and it notifies the CA (Certificate Authorities) not to use that certificate anymore Because they exchanged the certificates.But since browsers do not update all the time the certificates shows that the certificate is unreliable because not the list has not been updated with this continues that expired certificate