Google’s Chrome browser will warn you about any website you visit that is not connected to you over an encrypted link. Specifically, Chrome will soon flag a conventional HTTP (Hypertext Transfer Protocol) connection as “insecure.” That will worry some consumers and being called insecure will embarrass some website operators who have not yet obtained a certificate that proves they are using encryption. Google is “phasing in” these warnings and the “public shaming will only get more pronounced.”
For a little technical background, there is merit to using an encrypted connection, particularly Hypertext Transfer Protocol (HTTP) and upgraded versions that include “Secure Sockets Layer” (SSL) or “Transport Layer Security (TLS) encryption. In most instances, communication with a site bearing an SSL or TLS certificate means that a trusted entity has digitally signed a certificate indicating that the HTTPS website conforms to suitable encryption standards, and that those visiting the website can assume communications with the website are secure.
Unfortunately, the degree of security that HTTPS delivers is somewhat overstated because some hackers steal certificates or issue themselves fraudulent HTTPS certificates. Those faked certificates can deceive consumers by leading them to believe that a hacker’s website is legitimate, can be reached securely, and will resist attempts to infuse it with contagious malware.
A few years ago, HTTPS use was limited to user id and password collection web pages where security is most needed. Back then, the process for obtaining a HTTPS certificate was complex and costly, and few operators made the investment in HTTPS where it was not absolutely required. More recently, a service called “Let’s Encrypt” is offered by the Internet Security Research Group, and it makes the process of obtaining an HTTPS certificate much simpler (8 steps) and cheaper (free or a $40 fee).
A recent study of HTTPS certificate abuses found that Chinese hackers used several methods to obtain certificates fraudulently. Their primary tactic was to steal certificates from websites where the certificates had not been properly secured. Their secondary tactic was to issue certificates to themselves using “Let’s Encrypt.”
The hackers needed the certificates, so they could erect websites that appeared to be legitimate and secure. Those reassuring websites allowed the hackers to build trust with their phishing victims. The certificated websites were used as a destination where the victims were encouraged to confide with others who have similar outlooks or made similar security blunders.
The Chinese hackers operated in several groups with varying degrees of sophistication, and their history of operations reveals that they pursued three goals. First, they would obtain as many certificates as they could. Second, they would use phishing to gain access to valuable technical assets for companies or government, such as research or corporate plans. Third, they would attempt to raid any money they find from their online victims.
The hackers have worked against targets in Japan, Russia, the US, South Korea, India and even within China. The overall team was named the Winnti Umbrella in 2014. Many components are still in operation. Over the past 5 years, the hackers have made errors that reveal their connection to the Chinese government. With backing of that depth, certificate thieves are a force to be reckoned with.