FS HOT Logo

Certification and Trust: A System in Need of Change

Since FS HOT started back in 2001, we’ve seen the internet evolve in many ways. One of the most significant shifts has been the move from unencrypted (HTTP) to encrypted (HTTPS) web traffic. This is undeniably a positive step forward, as it mitigates threats like man-in-the-middle attacks and packet sniffing, which were rampant in the early 2000s. But as with many technological solutions, the devil is in the details.

The certificate-based model used to secure both websites and software, while helpful in some aspects, is inherently flawed. Let's dig into why the current system doesn't really guarantee trust and explore what needs to change.

Trusted Certificate Authorities: Are They Really Trustworthy?

The system relies on Trusted Certificate Authorities (TCAs), third-party entities responsible for issuing certificates. These certificates, in theory, are supposed to validate that the website or software you’re interacting with is safe and legitimate. But here’s the first problem: there are hundreds of these authorities. Why should we trust them? Many are for-profit, non-elected bodies with little oversight. Their primary objective is to make money, and trust, in their world, can be bought.

In fact, many TCAs have faced serious questions about their legitimacy and how rigorously they vet their clients. In several cases, certificates have been issued to entities that should never have received them, undermining the very concept of "trusted" certification. For example, the Symantec PKI scandal in 2017 saw web browsers revoke trust in Symantec’s certificates due to improper issuance. This incident highlighted the flaws in the system: the very entities tasked with ensuring our security were failing to do their jobs properly.

The Flaw in Software Signing

As I considered signing FS HOT’s software Media Graveyard with a certificate, the flaws in this model became even clearer. Why should I, as a developer of freeware, have to pay to certify my software? When I looked into the reasoning, the answer was that a signed certificate adds an extra layer of trust for the end-user, and operating systems are less likely to flag signed software as suspicious.

But here's where the issue gets murky. If I were a malicious developer, what’s stopping me from buying a certificate and signing malware with it? In fact, this has already happened. Recently, attackers have been caught doing exactly this—signing malicious software with valid certificates. The system is easily gamed because trust is for sale, and the certificate authorities don’t always enforce strict checks on who they’re selling to.

This calls into question the entire premise of certificate-based trust. Just because a piece of software is signed doesn’t mean it’s safe. It’s simply another automated checkmark that the system looks for, not a true indication of security or trustworthiness.

Websites: Encryption Doesn’t Equal Trust

The same logic applies to websites. Just because a site has end-to-end encryption, thanks to HTTPS, doesn’t mean it can’t harm you. Encryption only protects the data in transit—it doesn’t mean that the website you’re connecting to is safe or trustworthy. A malicious website could still be running dangerous code or attempting to exploit vulnerabilities on your machine, all while displaying that reassuring padlock symbol in the address bar.

The reality is that certification only offers encryption, which is certainly important, but it doesn’t guarantee safety or ethical behaviour. The padlock simply means the communication channel is secure, not that the site is worthy of your trust.

The Role of Free Certificates: A Step in the Right Direction

Luckily, we’re seeing some progress with the availability of free certificates, such as those provided by Let's Encrypt. Let's Encrypt has been revolutionary in democratising web security by offering free, automated, and open-source certificates to website owners. This shift has made it easier for small websites (like FS HOT) to secure their traffic without paying yearly fees. FS HOT uses these short-lease certificates because, at the end of the day, all that’s truly needed is encryption.

However, while free certificates are readily available for websites, the software certification landscape is still largely dominated by paid models. It remains difficult for developers, especially those offering freeware or open-source projects, to justify the cost of signing their software. This points to a broader need for the availability of free certification in all areas of internet security—not just web traffic.

A Conflict of Interest: When Trust is for Profit

At the heart of the problem is a conflict of interest within these for-profit certificate authorities. Their focus is not necessarily on keeping the web safe but on making money, and this can lead to dangerous outcomes. If trust is something you can buy, then it ceases to be trust at all. As users, we are putting faith in a system that prioritises revenue over rigorous vetting.

By treating certification as a paid commodity, we open the door for malicious actors to exploit the system. And, as we’ve seen, they do. The process for acquiring a certificate can often be lax, allowing malicious websites and software to carry the same “trusted” label as legitimate ones.

A Decentralised Trust Model: The Future of Certification?

So, what’s the alternative? One potential solution could lie in a decentralised trust system, where trust is earned, not bought. Instead of relying on for-profit authorities to vouch for a website or piece of software, we could move toward a system where individuals or communities validate trust. Imagine a model where users, developers, and communities hold their own certificates and use them to vouch for the authenticity of websites and software, creating a web of trust based on peer-to-peer verification.

This model could be inspired by systems like the Web of Trust used in PGP encryption, or blockchain technologies, where trust is decentralised and built on transparent, user-driven consensus. Such a system would prevent bad actors from simply buying their way into being trusted, and instead, force them to earn trust over time.

Educating the User: The Key to Fixing the System

Another part of the solution lies in user education. Many users falsely believe that a padlock equals safety or that signed software is inherently trustworthy. The reality is far more complex, and without better public awareness, these flawed assumptions will continue to be exploited.

Website owners and software developers need to take on the responsibility of educating their users. This could be done through clearer communication about what certifications and encryption actually guarantee (and what they don’t). Additionally, platforms like FS HOT’s Tech Zone can play a crucial role in demystifying these concepts for a broader audience, helping users make more informed decisions.

Conclusion: Trust Must Be Earned, Not Bought

Ultimately, the certification model as it stands today is fundamentally flawed. When trust can be bought, it becomes meaningless. Real trust is something that is earned through transparency, ethical behaviour, and peer validation. Moving forward, we need a system that reflects this reality—a system where both individuals and organisations must prove their trustworthiness, rather than simply purchasing it.

In a world where cybersecurity threats are constantly evolving, we can’t afford to rely on a model that places trust in the hands of profit-driven authorities. Decentralised, peer-based trust models could be the answer, offering a safer, more democratic internet for all.

Enjoyed the Article?

Recommended Article: 5 Top Tech Practices from FS HOT

Read Now: 5 Essential Tech Practices

Support FS HOT: If you found this article helpful, please consider sharing it.