Relevant Items

Should SSL Certificates Be Free | BLOG

October 3, 2017

Part 1 of 3

In this digital world, our presence is not limited to the physical space we occupy: it is potentially everywhere.

Whether connected through our phones or computers, or via dormant social media profiles, it is possible that some form of you is always connected to a network.

With so much of our lives taking place online, the technology in place to protect our data and make the Internet a safe and trusted environment has evolved to meet most of our security needs. For more than a decade, free SSL/TLS offerings have been available from reputable Certification Authorities, however, these have gone more mainstream in recent times as awareness around SSL/TLS Certificates and cybersecurity has grown.

SSL/TLS Certificates are the most common cybersecurity technology in use today. With over one billion websites on the Internet, and the number of SSL/TLS Certificates issued in the millions, the question has been raised as to whether or not the secure links created by SSL/TLS Certificates should be mandatory, and thus free.

The value of your personal data is worth much less than you think it is on the black market…

In order to understand the virtues that go into protecting websites and the sensitive data transmitted within them, it’s important to have a grasp on just how much data there is on the Internet, and as a result, how relatively cheap personal information is worth to a hacker.

It takes a lot of data theft to make a living as a hacker…

Recent estimates made by Cisco indicate that in 2016 global IP traffic will reach 1.1 zettabytes (1 ZB = 107 bytes) and increase nearly threefold in the next five years. That’s a lot of data to attempt to steal. [1]

The dollar amount of stolen data, as a whole, is staggering. A recent study by TrendMicro broke this data down into smaller segments, providing the per-transaction value of various data items on the Brazilian, Chinese and Russian black markets. [2] The per-transaction dollar value of data such as full credit card credentials and lists of mobile phone numbers was found to be as low as US$4 for a set of credit card credentials in Russia, and US$ 35-135 in Brazil.

A research report written in 2009 by Microsoft explains why the underground data economy is chalk-full of such low per-transaction prices for data. Although the report is eight years old, the economic analysis is still valid. The report states [3]:

The underground economy is often painted as an easy money criminal Utopia where even those without skills can buy what they need and sell what they produce. They can buy phishing kits, rent hosting services and then profitably sell the credentials they produce on IRC channels. This picture does not withstand scrutiny. The IRC [Incremental Risk Charge] markets on the underground economy represent a classic example of a market for lemons. The rippers who steal from other participants ensure that buying and selling is heavily taxed.

The added costs of doing business in this criminal space, much like non-digital black markets, reduces the profitability and stability of data-theft ventures, which once again increases the need for more and more targets to be breached in order to increase revenue streams. Evidently, the personal impact of breached data is much more impactful on the person being breached than the monetary value to the hacker, as the data below shows.

So if it takes a lot of data theft to make for a hacker to truly profit from their efforts, then a lot of attempts at stealing data are going to be made. It’s the natural consequence of the economy of black market data being made up of such low-value individual pieces of information. There is so much out there that the perceived obtainability of data is something to desire for anyone with the ability to hack through whatever security is between them and your private information.

So how can we maintain trust in a digital world? Shouldn’t we just equip everyone with the necessary security tools so that no one is left stranded, or does this present security risks in itself?

These questions will be answered in Part 2 of this series and during my presentation at BSides Ottawa 2017

Up Next: The most valuable asset to a harmonious digital world is trust in that world.

 

By Stephen Demone, Content Development Specialist

Stephen Demone is a Content Developer at Entrust Datacard where he specializes in digital certificate technology. An avid storyteller, Stephen has applied his love of writing to developing content that teaches, informs and sometimes challenges convention. Stephen graduated from the University of Ottawa Telfer School of Management  in 2009 and joined the Entrust Certificate Services division shortly thereafter. 

 

REFERENCES

[1] http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-index-vni/vni-hyperconnectivity-wp.html]

[2]https://www.secureworks.com/~/media/Files/US/Reports/SecureWorksSECO2123NUndergroundHackerMarketplace.ashx

[3] Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy. http://research.microsoft.com/pubs/80034/nobodysellsgoldforthepriceofsilver.pdf