Sunday, May 11, 2014

Certificate Validation

Note: I also have this posted on my web site here.

How can you be certain that the connection to your bank or online vendor is secure? Well, you can't, but there are some simple steps you can take to increase the odds that your connection will be secure.
When you go to a secure web site, your browser will give you some information about the security protocols used, which you can use to judge the level of security provided.

In order to understand this process, it is necessary to understand how public key certificates work. There are many articles available on the subject that go into much more detail (Wikipedia's article can be found here). The important part to know is that anyone can create a certificate and sign it, so you have to know that the certificate is signed by someone you can trust.

This is where things get messy. Currently, the way your web browser knows who to trust is, it has a list of known trustworthy certificates that come pre-installed. You can create your own certificate and have it signed by one of the companies providing those certificates (for a fee, usually). So what it boils down to is, when you go to a secure web site, your browser will say it's secure because the certificate authority that someone paid to have their certificate signed says it's secure.

You may be wondering if it's possible to get one of those companies to sign a fraudulent certificate that you've created. While in some circumstances, that is possible, the certification authorities take steps to ensure that when you buy a certificate, you are the owner of the domain that the certificate is for.
Let's take a look at a certificate in the Firefox web browser. To get started, go to a secure web site and click on the lock icon next to the address bar.





Firefox tells you which certificate authority verified the certificate. Click on More Information.



Here you will see some statistics and information about the type of certificate being used. Click on View Certificate.



This is the important part. It tells you everything you need to know about the certificate your browser has decided to trust (or not). If the Common Name (CN) doesn't match the URL you typed into the address bar, or the validity dates are incorrect, your browser will not trust the certificate. If those details are correct, but your browser still doesn't trust the certificate, then the certificate was signed by an authority that your browser doesn't recognize.

Now let's look at a site with an untrusted certificate. If you go to a web site that Firefox doesn't trust, you'll be greeted with this warning:



Click Add Exception, and then you can view the certificate.



I used StartCom to verify my web site, but some versions of Firefox don't recognize it. Notice that Firefox will tell you the reason why it doesn't trust the certificate at the top.

If the certificate isn't signed by a recognized authority and you still want to know if you can trust it, you can compare its fingerprint to a known fingerprint for that web site. Mine is listed at this page. It's recommended, if you're going to do it this way, that you get the fingerprint over the phone, in person, or in some other more secure manner. The last four to six characters should suffice.