TLS Certificate System More About Control than Protection of Internet Users

From the very beginning, the foolhardiness of giving any organisation authority to issue TLS certificates that browsers can use to block websites has been painfully obvious. For so many reasons. Warning after warning has been issued, but those in charge of Internet security theater in the United States and around the world have never been concerned with real security for Internet users. I am sorry to be so blunt, but organisations that use sham security (see these links below)...

https://www.groovypost.com/howto/security-alert-diginotar-issues-fraudulent-google-com-certificateinstructions-for-how-to-protect-yourself/

https://s1.securityweek.com/turkish-ca-issues-fraudulent-certificate-google-domains

https://www.securityweek.com/lets-encrypts-free-certificates-abused-cybercriminals

https://arstechnica.com/information-technology/2017/02/dozens-of-popular-ios-apps-vulnerable-to-intercept-of-tls-protected-data/

https://resources.infosecinstitute.com/topic/cybercrime-exploits-digital-certificates/

https://www.techtarget.com/searchsecurity/news/450415470/DV-certificates-abused-but-policing-may-not-be-possible

https://www.infoworld.com/article/2623829/weaknesses-in-ssl-certification-exposed-by-comodo-security-breach.html

https://www.ibtimes.com/hacked-dutch-firm-issues-531-fake-net-certificates-309566

... to control Internet users and the Internet itself anger me. As far as I can see, the issuance of TLS security certificates has always been about money and control. The fact that governments would eventually realise this and step in to take the largest cut of the spoils has apparently not been enough of a deterrent to prevent the formation of the easily-corrupted TLS certification system that we have today. Well, now the chickens have finally come home to roost, and we deserve every bit of what may be coming next.

Let us begin with an illustration of just how subject to political abuse our TLS certificate system has always been. During the first month of the Russia-Ukraine war, TLS certificate-issuing authorities responded to sanctions against doing business with Russian businesses by no longer issuing TLS certificates to them. Russia responded by extending its big middle finger to the rest of the world--in my opinion, with full justification. It issued its own TLS certificates. As the Russian public services portal, Gosuslugi, explained, “The Ministry of Digital Development will provide a free domestic analog. The service is provided to legal entities – site owners upon request within 5 working days.”

If interpreted strictly, this means that the personal websites of Russians will not receive certificates unless they have paid for the privilege of being legal entities and presumably been deemed acceptable by some Putin-appointed bureaucrat. So, in Russia, propaganda now reigns supreme, and personal websites in Russia may be a thing of the past.

Naturally, western browsers like Chrome and Firefox ignored Russian certificates and continued to throw up scary warnings when Internet users tried to go to the websites of Russian businesses whose certificates had expired. Russia likely did not care too much. The Russian search engine company, Yandex, has its own browser for the Russian people to use, and it accepts the new Russian certificates. I had been wondering for months why the Cheapskate's Guide has been seeing so much traffic from Yandex. Now, I suspect I know.

The irony of the repercussions of this should not escape readers of this article. For the first month of the war, the withholding of TLS certificates from Russian businesses strongly incentivised the Russian people to drop every western browser and use only Yandex's. Russia already had its own alternative Domain Name System (DNS). Thanks to the Biden administration, Russia now has its own TLS certificate issuing authority free from the control of western politicians, and for over a month the Russian people were essentially forced to use it to go to many of their favorite Russian websites. This is one more brick in the wall that Putin has been erecting for years to isolate Russia from the rest of the Internet. Western politicans' prohibition of TLS certificate issuing authorities from doing business in Russia merely handed him the power to more completely isolate Russia from the rest of the world's Internet. This made Russians even less likely to see news from western news sources and respond by putting pressure on Putin to withdraw from the Ukraine. Fortunately, the Biden administration was intelligent enough to see its mistake and take steps to correct it.

In other countries, governments have also grabbed more or less control of the TLS certification process. This was inevitable. Wherever power or authority exist in the world, a government will step in to tax and control it. That is what governments do. The EU Parliament has proposed an amendment to Article 45, which reads, "In order to ensure that users can identify who is behind a website, Article 45 is amended to require providers of web browsers to facilitate the use of qualified certificates for website authentication." Qualified Certificates for Website Authentication, otherwise known as QWAC's, would be issued by government Trust Service Providers (TSP's, or QTSP's). As an Electronic Frontier Foundation letter to EU regulators points out, “The Digital Identity framework mandates browsers accept QWACs issued by Trust Service Providers, regardless of the security characteristics of the certificates or the policies that govern their issuance”. In other words, the EU government would be effectively replacing the current thoroughly flawed certification process with its own thoroughly flawed certification process. The regulation of TSP's has been planned for years as part of the 2014 EU Regulation 910, which reads in part:

(30) Member States should designate a supervisory body or supervisory bodies to carry out the supervisory activities under this Regulation. Member States should also be able to decide, upon a mutual agreement with another Member State, to designate a supervisory body in the territory of that other Member State.

(31) Supervisory bodies should cooperate with data protection authorities, for example, by informing them about the results of audits of qualified trust service providers, where personal data protection rules appear to have been breached. The provision of information should in particular cover security incidents and personal data breaches.

(32) It should be incumbent on all trust service providers to apply good security practice appropriate to the risks related to their activities so as to boost users’ trust in the single market.

(33) Provisions on the use of pseudonyms in certificates should not prevent Member States from requiring identification of persons pursuant to Union or national law.

The verbiage above means that a new EU bureaucracy will be put in place to oversee and inspect the current TLS-certificate-issuing authorities to make sure they do as they are told. This is partly so that, in the future, should EU politicians decide to levy exorbitant taxes on all websites hosted in the EU or on all owners of websites who live in the EU, the bureaucracy will be in place to enforce it, and the individuals to be taxed will already have been identified. I will not even mention the other political goals implied by, "... so as to boost users’ trust in the single market".

Once this system has been put in place, not only can website owners be identified and taxes be collected, but the EU government will have direct control over which websites are prohibited from receiving certificates and for what reasons. Blocking the issuance of TLS certificates to certain websites will then be accomplished by bureaucratic policy rather than by court order.

Note that EU countries have in the past issued TLS certificates directly, but the work required was apparently too much for government workers, so they have offloaded the work to the private sector. The Dutch government was the last to transfer its TLS issuing authority, which it did at the end of 2021.

Readers might naturally ask, "But, you don't live in the EU. Why do you care?" I am glad you asked (even though I did it for you). I care because when government control of the Internet is enabled by centralised systems like the ones that issue TLS certificates, register domain names, and run domain name servers, they are ripe for manipulation for political purposes that have nothing to do with the protection of Internet users or website owners. Centralised systems allow the smooth functioning of the Internet to be interfered with by any country's government, including the US government. This can and does occur in part because we ignored all the warnings about the consequences of creating yet another centralised authority-driven system for distributing TLS certificates. Instead, we put in place another authority that potentially has the power to control which websites normal Internet users are allowed see, without actually ensuring the safety of Internet users. All this has really done is hand politicians more power to further splinter the Internet across national boundaries, force website owners to pay certificate taxes, and abuse the Internet for any reason they wish.

Will Google, Mozilla, and the other browser developers see the writing on the wall and stop the TLS certificate madness? I predict they will not. I hope I am wrong, but I doubt it. Now that they have shown governments how to take control of the Internet, it may even be too late to turn back to a more free-speech-promoting and effective method of protecting Internet users. I have always feared that centralised systems invented by corporations to control Internet users would eventually be co-opted by governments to take away our privacy and free speech on the Internet. This is happening in places like North Korea, Russia, and China, but it is also happening at a slower pace everywhere else.

If you have found this article worthwhile, please share it on your favorite social media. You will find sharing links at the top of the page.