I don’t know if the friends who are watching our official account have ever seen a “Digital Security Certificate” pop-up window when they were skipping classes and surfing the Internet and using IE browsers to browse learning websites. Or does anyone still remember that WeChat and QQ initially supported web version login, but due to the security of the HTTP protocol, they later stopped maintenance.
These two things that seem to be out of reach are actually related to the protagonist Tony is going to talk about today - SSL certificate.
The cause of the matter is this. Some time ago, Tony saw a post on the Internet, which made me uneasy.
It says that high-priced SSL certificates are a complete Internet scam, and it is also a hugely profitable industry with a profit margin of 49,000%. . .
Here I would like to explain to those who don’t know much about the Internet. The SSL certificate mentioned here has long become the standard for contemporary Internet surfing.
It is equivalent to the ID card of the website. Its function is to tell the user that the website you are browsing is the website you want to browse. It has not been tampered with in the middle and is safe.
In fact, we deal with SSL certificates every day. If you don’t believe it——
You can now open the browser on your computer and open Baidu. Notice the little lock icon next to the address bar? It actually means "Connection Secure".
Continue to click the "Certificate Valid" button, and you will see the SSL security certificate Baidu is using.
When a browser accesses a website, it will first check whether the digital security certificate of the website is issued by an authoritative certificate authority (CA), whether the domain name in the certificate is consistent with the domain name currently being visited, and whether the certificate has expired or been revoked. . .
If one of them does not match, the browser will disconnect from the target website and warn that "the connection you established to this website is not secure."
The certificate pop-up window mentioned at the beginning of the article is actually due to the WinXP and Win7 systems used by some old Internet cafes. Their built-in IE browser is old and cannot recognize Internet digital certificates that use new encryption algorithms, so the browser will prompt you that your online behavior is risky.
This is not the web pop-up window from back then, it was attempted to be reproduced by Mr. Isword, a blogger at Station B.
So how did such a seemingly just thing turn into a hugely profitable business?
This starts with the HTTP protocol. Tony will try to keep the story short -
When HTTP was first invented, its function was actually very simple, and it was responsible for transmitting data between the client and the server.
And it is also a protocol that “guards against gentlemen but not villains”: because there was not much demand for data encryption in the early days, the data packets transmitted by the HTTP protocol were all in clear text.
This means that someone with a bad intention can easily hijack all the information you send and receive, which naturally includes your login password and the content of the web pages you browse.
WeChat and QQ abandoned the web version partly because of this feature of the HTTP protocol.
Until 1994, Netscape - yes, the Netscape that appears in computer history books, invented the SSL Secure Socket Layer technology, which used public key encryption and private key decryption to transmit a "codebook", allowing "encrypted calls" between the browser and the server and shielding third parties.
It is precisely because of the guarantee of SSL technology that everyone surfing the Internet will be safer. The evidence that proves that a certain SSL connection is trustworthy is the SSL certificate used in this connection.
At this time, the prefix of the URL in the browser will also change from HTTP to HTTPS.
In other words, HTTPS = HTTP + SSL/TLS.HTTP connections encrypted by SSL/TLS technology are secure.
Just like between consumers and merchants, there needs to be an Alipay to act as an independent and trusted third party to ensure transaction security. In fact, there is also a credible role between the user and the browser to prove that "this SSL certificate is issued by an organization, then it is credible."
This widely trusted intermediary role is the CA organization.
Only a CA authority trusted by both the operating system and the browser can issue a valid SSL certificate that will not be popped up.
In other words, there is a certain threshold for becoming a CA organization, and this threshold eventually led to the de facto monopoly of several major certificate issuing agencies. This is how huge profits come -
Just open a website that sells SSL certificates, and you will find that the issuing agencies name the certificates in a variety of ways, even more confusing than the "Turbo Pro+, Racing Edition" in the current mobile phone circle. . .
Let me help you briefly sort it out. In fact, these certificates can be roughly divided into three categories: Domain Validation (DV) certificates, Organization Validation (OV) certificates and Extended Validation (EV) certificates. Let’s simply understand them as Standard Edition, Pro Edition and Pro Max Edition. Of course, the price will also rise with the tide. . .
According to these SSL certificate websites, a DV certificate only verifies whether a website’s domain name belongs to the applicant.
Higher-level OV and EV certificates require more stringent manual review, such as applying with a business license and legal person certificate. Some issuing agencies will even conduct "offline real" users, conduct on-site inspections, and the verification cycle will be longer.
Not only that, the issued high-level certificate will also additionally display the company name in the URL bar of the user's browser, reducing the risk of users being "phished"; in contrast, entry-level certificates can only display a small lock and will not display the company name.
It is obvious that everyone has taken note of everyone's overemphasis on safety. If you want to be more secure, you have to spend more money and buy a more advanced certificate.
But is this really the case?
First of all, take a closer look at these so-called certificates with different security levels. The encryption algorithms and key lengths used are exactly the same. That is to say, at a technical level, the encryption strengths of different levels of SSL certificates are exactly the same. . .
In this way, the high price of OV/EV certificates is reflected in supporting services, such as the “more stringent manual review” promoted by many CA organizations. . .
But there are colleagues around Tony who have actually purchased SSL certificates. I can only say that the issuance of OV/EV certificates will not be tied to factors such as verifying the true corporate identity. It is just an additional requirement made by some organizations.
This colleague even encountered a situation where, even though he did not give an organization a business license and the company name was incorrectly typed, the other party still assured him that he could sign. . .
This outrageous experience reminds me of the same kind of bad work done by the CA agency in the past——
In 2017, Google discovered that Symantec, the industry's largest SSL certificate provider at the time, had mistakenly issued more than 30,000 SSL certificates without strictly verifying domain name ownership.
As a CA with the highest credibility at the time, Symantec was already making money, but there were still cases of spam issuance of certificates. . . This incident eventually led to Google completely deleting all Symantec's root certificates in 2018, and the latter was forced to sell its CA business to DigiCert.
In 2019, Chrome and Firefox browsers simply removed the feature of “displaying EV certificates in the address bar”.
Google said that after an investigation it was found that the extended information could no longer protect users as intended. The reason we have mentioned before is that even if it is a fraudulent company, as long as there is a corporate entity, you can still find a way to get an address bar with company information written on it. . .
In addition, now almost everyone uses APP directly, and APP does not have a URL bar, so the special identification of high-priced SSL certificates is of little use. From this perspective, whether it is a cheap DV certificate or a high-priced OV or EV certificate, their security is the same.
So no matter how you look at it, users are spending their money unjustly while enduring the cunning operations of CA agencies. This leads to the post that Tony saw at the beginning of the article, which was a crazy accusation against high-priced SSL certificates.
But in fact, earlier, another group of people came forward to solve this problem——
In 2014, the Internet Security Research Group (ISRG) established a public welfare project called Let's Encrypt. They have an awesome goal, which is to make SSL certificates free and automated.
Of course, they are not just talking about it, the organization’s real performance can be checked——
Ten years have passed since the release of free SSL certificates in 2015, and the organization has issued more than 500 million SSL certificates. And according to statistics from W3Techs, Let’s Encrypt’s market share now exceeds 60%.
Free certificates have begun to become the mainstream of the market, and Let's Encrypt naturally eats up the share of paid SSL certificates, so you will find that the paid SSL certificate industry is gradually becoming standardized -
For example, in the face of competition, some mainstream CA organizations began to reduce prices and even provide free DV certificates; some traditional CA organizations also began to learn from Let's Encrypt and started automatic issuance and automatic renewal of certificates. They joined if they couldn't beat it.
Will free certificates completely replace paid SSL certificates as Let's Encrypt's market share further expands?
Not necessarily.
Because the SSL issuance industry is getting bigger and bigger——
On the one hand, the browser industry promotes the HTTPS protocol by default, resulting in almost all website owners having to deploy SSL certificates.
On the other hand, the increasing number of IoT networking devices has given rise to huge demands for public network encrypted communications and SSL certificates, which has also become a new revenue growth point for CA institutions.
More importantly, there are some compliance reviews for portals in the government, financial, medical industries, and some large enterprises, which will force such websites to install paid SSL certificates such as OV or EV.
Therefore, the actual situation now is actually this:SSL issuing agencies can still make money, but because of the existence of public welfare organizations like Let's Encrypt, the huge profits of the past are gone forever..
It’s a good thing that everyone is starting to work honestly and make money.