How many of us carelessly click through the certificate security warnings that occasionally pop up on our browsers? Probably more than you’d guess. It’s getting better, though, as more of us are becoming aware of the risks associated with ignoring these warnings, which can be greater than you think. But should the responsibility be on the end-user to heed these warnings? Or should it be on enterprises to ensure the use of up-to-date, secure certificates to avoid the issuance of warnings altogether? Both.
How many actually ignore browser certificate warnings?
In 2015, a research study revealed that 70% of Chrome users were guilty of ignoring browser security warnings. This inspired Google to simplify the warning Chrome presents when the user is connecting to a server with an invalid or risky certificate. Below is an example of a Chrome certificate warning, which uses several methods, including color, text, and imagery, to indicate that connecting to this site could be dangerous.
But how bad is it to ignore these certificate security warnings, really?
Most of us will admit to ignoring browser certificate warnings occasionally. Some find these warnings confusing and others simply want quick access to the site they’re visiting. But these warnings are important since they identify websites with invalid or weak certificates that shouldn’t be trusted. So ignoring them undermines your browser’s ability to protect against fraudulent certificates that can be used by bad guys in attacks.
SSL/TLS certificates help provide secure connections for all our online communications, and when used incorrectly they just aren’t as effective as they were designed to be. We’ve seen a variety of publicized cases where invalid SSL/TLS certificates have led to Man-in-the-Middle (MITM) attacks that have exposed personal or confidential data to cyber-thieves and eavesdroppers.
How can businesses help prevent these attacks?
The good news is that, as individuals, we’re all getting much better at understanding the risks associated with ignoring such warnings. But we don’t control what’s happening on the other end of the wire…the businesses with which we communicate. We need them to ensure their services and applications are using valid, secure, and up-to-date certificates. Because the more these warnings pop up, the more we’re likely to ignore them.
And when businesses discover a certificate-related vulnerability, they need to fix it—quickly. Intel did just that when they patched a serious SSL vulnerability in their Intel Crosswalk Project, an open-source, cross-platform mobile development and runtime environment.
What was the Intel Crosswalk SSL Vulnerability?
In July, researchers at Nightwatch Cybersecurity publicly shared an SSL vulnerability in the Android implementation of Intel Crosswalk. They discovered that when a warning about an invalid or self-signed SSL/TLS certificate was ignored (i.e., user proceeds with an untrusted connection), this preference was remembered for all future warnings too. So when users accepted the risk to connect to a specific domain with an insecure certificate, they were also unwittingly accepting the risk to connect to all other sites with invalid certificates—without even seeing the warnings.
Normally, every HTTPS browser request checks for a valid certificate, so the researchers advised Intel to patch this vulnerability, which they quickly did. This is the type of security flaw cybercriminals get excited about, especially with mobile devices growing exponentially.
How can we protect ourselves?
So how can you protect yourself and your organization? As an individual you can stop ignoring these certificate browser warnings and manually type the URL of the site you want to visit into a new address bar when you see one. That would reduce the likelihood of connecting to a spoofed website and succumbing to a MITM attack that can steal your personal information, financial data, and even passwords.
For their part, enterprises need to bring all of their certificates under centralized management for better visibility, lifecycle management, and policy enforcement. This can help ensure the services they provide are always backed by valid certificates, which will help eliminate certificate warnings when visiting their “secure” domains. Not only can certificate security warnings be embarrassing for the enterprise, they can also result in a loss of trust and subsequent business from customers and partners who believe their communications are inadequately protected.
Not only are smart organizations educating their employees to avoid carelessly clicking through certificate warnings, they’re also taking responsibility and getting full control of the thousands of certificates across their IT environments. Doing so provides full visibility and protection for all their certificates, so they know when anomalies exist and can fix them quickly and automatically. Knowing their entire encryption environment is under complete control instills enormous confidence in both the organization and its customers.
There’s nothing worse than discovering what you were sure was protected actually isn’t. How confident are you that your customers won’t see a browser warning when they visit your website?