Website certificates – Browser manufacturers undermine consumer protection

Shorter lifetimes for certificates since September: Profiteers are offers with a low security level.

  • Shorter lifetimes for certificates since September: Profiteers are offers with a low security level
  • Browser manufacturers yet to recognize the EU’s qualified website certificate
  • Example of Europe’s lack of digital sovereignty
  • New certificate types could have largely prevented the fraud with phishing websites that took place to obtain corona emergency assistance

Berlin, 21 September 2020 – In September, new, shorter lifetimes were introduced for TLS certificates which are used to protect websites. These maximum validity period for these certificates is now limited to 13 months (397 days). Browser manufacturers expect this change to bring greater security. However, Dr. Kim Nguyen, CEO of D‑TRUST, a Bundesdruckerei company and provider of digital certificates, is sceptical: “Shorter lifetimes for website certificates can in fact lead to greater uncertainty on the net: A shorter validity period for all types of certificates and the additional effort required make TLS certificates with identity validation less attractive.” Just how important their contribution is for secure online communication can be seen in the fraud that took place with applications for corona emergency assistance in the spring of this year. Identity-validated certificates would have very likely prevented this misuse: According to Dr. Nguyen, the certificate information displayed would have shown applicants whether they were on a trusted government website – or on a phishing site operated by fraudsters. Dr. Nguyen also points out the political dimension of shortening certificate lifetimes: “When it comes to Internet security, Europe relies on certificates that undergo a thorough identity check and have a high level of legal validity – but the shorter lifetime now required will mainly benefit offers with a low security level; for users, this means weaker consumer protection.”

Browser manufacturers behind the shortening

The decision to shorten the validity period of TLS certificates was made by the CA/Browser Forum in July 2020. The forum is a platform for the exchange of information between certificate users – for instance, major browser manufacturers in the US - and the so-called Certificate Authorities (CA) that issue certificates. Initially pushed by a single browser manufacturer, the entire forum has turned to this course under strong pressure from other browser providers. “D‑TRUST, as a European CA, is affected by the shortened lifetime: We see ourselves as providers of certificates with the highest security levels, i.e. with extensive identity validation – these are now becoming less attractive for users," explains Dr. Nguyen.

D‑TRUST’s focus is on organization-validated and extended validated certificates with identity information (OV, EV and QWAC certificates). The identity of the website operator is thoroughly checked for these certificates. This requires more work that must now be carried out at ever shorter intervals. Although automated processes can avoid the additional work required of website operators with the shorter lifetime, this can usually only be implemented by companies with specialized IT departments or service providers. There is therefore a risk that due to this additional work users will be likely to resort to so-called domain-validated certificates where the identity of the applicant is not validated during the application process.

Study contradicts the arguments put forward by browser providers

When it comes to Internet security, browser manufacturers concentrate on the technical aspects with the focus being on encrypted data transfer between websites and the Internet user's computer. According to browser manufacturers, shorter lifetimes generally reduce the window of time during which TLS certificates can be compromised or misused. In the long term, browser manufacturers hope that they will be able to do without certificate validation altogether in order to accelerate the speed of their browsers. However, according to Dr. Nguyen, this increases the risk of users falling prey to phishing attacks.

This argument is supported by a recent study by RWTH Aachen University. Their results clearly show that in addition to technical measures, identity validation for certificates is also needed to achieve a high level of Internet security. According to the study, 49.4 percent of phishing websites discovered in 2018 used the HTTPS protocol. HTTPS websites transmit data in encrypted form, thus signalling security to the user. Encryption alone is therefore not a characteristic of secure websites. Nor did the analysis confirm that shorter certificate lifetimes improve security. On the contrary, the average validity period of secure websites is 412 days longer than that of fake websites, which is 252 days. There is also a clear result for the selected method of identity verification: 84.6 percent of phishing attacks are carried out via websites that either contain only DV certificates or no certificates at all. In contrast, only 0.4 percent of fake websites had an EV certificate with extensive identity verification.

More European independence from browser manufacturers

The European Commission therefore defined the qualified website certificate (QWAC) as early as 2014 in its regulation on electronic identification and trust services. The aim is to establish secure and trusted electronic communication throughout Europe.

However, browser manufacturers do not yet recognize QWACs: These particularly secure website certificates are neither processed nor displayed in the browser. On top of that, we now have shorter certificate lifetimes which reinforce the trend towards certificates without proof of identity. “The approach adopted by Google and Co. in their handling of website certificates shows that digital security infrastructures in Europe are heavily dependent on browser manufacturers,” says Dr. Nguyen.

It is much more important to strengthen Europe’s digital sovereignty. Browser manufacturers must finally support the processing and display of QWACs. It would also be important to reliably visualize the security status of QWACs, for example, using the EU Trust Mark logo. These proposed solutions are also supported by the digital association Bitkom, which recently published a comprehensive position paper on the topic.

More information about the different types of certificates as well as an info graphic can be found here.