Free public certificate authorities: Nice idea, big flaw

Certificate authorities such as Let's Encrypt attempt to provide a valuable service for all. But there's a serious problem with what they offer

Free public certificate authorities: Nice idea, big flaw
Credit: Michael Theis / Flickr

Readers often ask me how I feel about the latest free, public certificate authorities (CAs). I always tell them the same thing: It's difficult for a free CA to actually provide any security assurance. There is no free lunch.

I was reminded of this maxim when I read a recent article from HashedOut revealing that the popular, free Let's Encrypt has issued more than 15,000 digital certificates with the word "PayPal" in the subject name. PayPal itself doesn't use Let's Encrypt, so it's likely that most of these digital certificates are related to phishing attacks (according to HashedOut's analysis, that would be a whopping 96.7 percent of them).

I don't blame Let's Encrypt for the acts perpetrated by criminals who use its service for illegal activities. Let's Encrypt, like other free public CAs, is trying to provide a public service to websites and others that need publicly trusted digital certificates. In the past, costly digital certificates were a barrier to people and companies that needed certificate protection. They might never be expected to recoup the cost.

Also, many developers simply need "test" certificates to get their site rolling. I get the need. But a free public CA is not a CA. Let me explain.

What is a certificate authority?

Digital certificates are based on public key cryptography. Public key cryptography, independently invented and publicly revealed by Martin Hellman, Whitfield Diffie, and Ralph Merkle in 1976, uses two linked digital keys, one public and one private, for encryption and authentication.

The public key can be given to anyone and not compromise the protection it gives. The private key should be known only to the person authorized to reveal information encrypted by the public key (or to create authenticated information). What one key encrypts, only the other related key can decrypt. We encrypt information to other participants by using the other participant's public key. Participants authenticate information for future verification by others by using their private key.

The ideas, algorithms, and math involved work incredibly well. It's been more than four decades since public crypto was invented, and it remains (as far as the public knows) one of the best ways to protect digital information. It works. But only if you can be confident that a person sending you their public key is who they say they are.

History is replete with examples where an unauthorized person claimed to be someone they were not -- and the relying parties unintentionally sent confidential information to the imposter. In order for public key crypto to work, each participant must be "assured" that the parties they're dealing with are who they say they are.

That's where CAs come in. A CA's primary job is to authenticate the identity and legitimate ownership of each participant's public key. If I claim to be the Bill Gates, a CA should make sure I'm really the Bill Gates. After receiving proof that I am the Bill Gates, the CA can sign (using their trusted private key) my public key (which contains the subject name of Bill Gates) to attest to that verification.

The signing of the participant's public key by the CA's private key (which can only be verified by the CA's authenticated trusted public key) is supposed to give all relying parties who trust the CA the confidence in the identity of the subject using a particular public key. The subject's public key (along with other information), signed by the CA's private key, creates the digital certificate. Any participants trusting the CA to do its identification duties should trust the identity of any digital certificate the CA creates.

I like to think of CAs as similar to the DMV. In order to get an ID from the DMV, the person to be issued the ID must prove his or her identity, using whatever is accepted as official proof of identity (birth certificate, another gov't-issued ID, and so on). The DMV then issues an "official" identification card that attests to the person's picture and name on the issued ID. Because the DMV does its job pretty well, other entities like law enforcement, stores, and banks -- even in other states -- will accept your DMV ID as proof of your identity. A CA is the DMV in the digital world.

The flaw in free public CAs

The key difficulty with free public CAs is that they don't provide much identity assurance. That's because they don't operate for profit and can't afford it. Verifying identities takes resources and time. Free public CAs may validate that an email address works (not that it belongs to who it says it belongs to) or some other similarly weak measure.

Let's Encrypt and other free public CAs understand this and don't try to hide it. They provide a much-needed free service. They even try to provide additional methods for verification and post-issuance validation such as certificate transparency to help others with verifying the legitimacy of an issued digital certificate.

The problem is the only reason a CA needs to exist in the first place is to be very accurate about validating identities before issuing trusted digital certificates. If they can't do this, they shouldn't be trusted. The fact that Let's Encrypt is issuing many more fraudulent certificates than legitimate ones (at least the ones with PayPal in the name) is telling. It means you cannot trust that CA. The intent is worthy, but if it doesn't perform its primary duty, it's not needed. It's only hurting the system it intends to help.

Some proponents of free public CAs might rightly point out that the best and most trusted for-profit CAs sometimes issue fraudulent CAs and some publicly trusted CAs have handed out lots of fraudulent certificates. That's true. The difference is they have resources and processes in place to try in prevent fraud, and when caught issuing bad certs, either fix the problems or get out of the business.

A legitimate CA would not issue 96.7 percent rogue certs tied to one of the best-known phishing entities in the world. If it did, it would immediately become "untrusted" by the rest of the world. In the case of Let's Encrypt's and other public free CAs, we're told it's the cost of doing business. That hurts the entire PKI system, which is already struggling to retain our trust.