Everyone is familiar with this scenario: you want to browse onto a particular website but instead a message pops up warning you that the security certificate of the site is no longer valid. What do you do now? Continue?
A security certificate is a digital file that proves that a specific cryptographic key belongs to a specific identity, thereby it serves two important functions: First, the certificate is used to authenticate the ‘identity’ of the sender of information, e.g., the server one is connecting to. Second, it enables data encryption used for secure web transactions. Those certificates are issued by so-called Certificate Authorities (CA) and must be extended every few months. By clicking on the locker icon often found in front of the website address (e.g. in the Chrome browser) one can find out more information about the certificate itself.
Thus, if an error message shows up this means that the digital certificate is not valid. In other words, the browser does not know whether the web page it directs us to belongs to the alleged page owner or not. Therefore, the page could potentially belong to any malicious page owner. There is no way to be certain where one has landed. In the best-case scenario, we land on the page of the ‘actual’ page owner who merely has forgotten to extend the certificate. In the worst-case scenario, we land on a page we assume belongs to a particular e-banking or e-commerce site and transmit valuable financial information. After accepting the invalid certificate, since the communication is protected (HTTPS) the user has a fake feeling of being secure, though it might be securely communicating with the attacker. Thus, if an error message shows up, it is probably a good idea to avoid that website. But how does the average user actually proceed in real life?
A web browser running on Windows will usually give the user a warning notice and let him choose to ‘proceed anyway’. Basically the user – assumingly not a cybersecurity expert – will be given a free choice to trust or not to trust the site with an invalid security certificate. He will have to weigh the potential harms of proceeding to an untrusted site against the gains the correct website gives him. This seems unreasonable especially in light of the lack of knowledge most users have when it comes to cybercrime respectively cybersecurity.
It might be called paternalistic – or libertarian paternalism – to demand that users are not given access to sites which have not been certified by a trusted CA. Yet, to give user a choice of whether to trust a page – which no one has verified at this point – seems to be more like passing on the responsibility to the hands of the less informed party. If not even data security experts know whether or not a site can be trusted, how can users know let alone make an informed decision?
This being said, this post is just a food for thought… Maybe end-users should be given less options; while at the same time modifications for experts or more tech savvy users could still remain possible. In the end, it would make sense if data security specialists would work more closely together with regulators when it comes to issues of trust online.