US-CERT Cyber Security Tip ST05-010 -- Understanding Web Site Certificates

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		       Cyber Security Tip ST05-010
		   Understanding Web Site Certificates

   You may have been exposed to web site, or host, certificates if you
   have ever clicked on the padlock in your browser or, when visiting a
   web site, have been presented with a dialog box claiming that there is
   an error with the name or date on the certificate. Understanding what
   these certificates are may help you protect your privacy.

What are web site certificates?

   If  an  organization  wants  to  have  a  secure  web  site  that uses
   encryption,  it  needs  to  obtain  a site, or host, certificate. Some
   steps  you can take to help determine if a site uses encryption are to
   look  for  a  closed  padlock  in the status bar at the bottom of your
   browser window and to look for "https:" rather than "http:" in the URL
   (see  Protecting  Your Privacy for more information). By making sure a
   web  site  encrypts  your information and has a valid certificate, you
   can help protect yourself against attackers who create malicious sites
   to  gather your information. You want to make sure you know where your
   information  is  going before you submit anything (see Avoiding Social
   Engineering and Phishing Attacks for more information).

   If  a  web  site  has a valid certificate, it means that a certificate
   authority  has  taken  steps  to  verify that the web address actually
   belongs  to that organization. When you type a URL or follow a link to
   a  secure  web  site,  your browser will check the certificate for the
   following characteristics:
    1. the web site address matches the address on the certificate
    2. the  certificate  is  signed  by  a certificate authority that the
       browser recognizes as a "trusted" authority

Can you trust a certificate?

   The  level  of trust you put in a certificate is connected to how much
   you  trust  the organization and the certificate authority. If the web
   address  matches  the  address  on the certificate, the certificate is
   signed  by a trusted certificate authority, and the date is valid, you
   can  be more confident that the site you want to visit is actually the
   site that you are visiting. However, unless you personally verify that
   certificate's unique fingerprint by calling the organization directly,
   there is no way to be absolutely sure.

   When  you  trust  a  certificate,  you  are  essentially  trusting the
   certificate  authority  to verify the organization's identity for you.
   However,  it is important to realize that certificate authorities vary
   in  how strict they are about validating all of the information in the
   requests  and about making sure that their data is secure. By default,
   your  browser  contains  a  list  of more than 100 trusted certificate
   authorities.  That  means  that, by extension, you are trusting all of
   those  certificate  authorities  to  properly  verify and validate the
   information.  Before submitting any personal information, you may want
   to look at the certificate.

How do you check a certificate?

   There  are  two  ways  to  verify a web site's certificate in Internet
   Explorer  or  Mozilla.  One  option  is to click on the padlock in the
   status  bar  of  your  browser  window.  However, your browser may not
   display  the  status  bar  by  default. Also, attackers may be able to
   create  malicious  web  sites  that  fake a padlock icon and display a
   false  dialog window if you click that icon. A more secure way to find
   information  about  the  certificate  is  to  look for the certificate
   feature  in  the  menu options. This information may be under the file
   properties  or  the  security  option within the page information. You
   will  get  a  dialog  box  with  information  about  the  certificate,
   including the following:
     * who  issued the certificate - You should make sure that the issuer
       is  a legitimate, trusted certificate authority (you may see names
       like  VeriSign,  thawte, or Entrust). Some organizations also have
       their   own   certificate  authorities  that  they  use  to  issue
       certificates to internal sites such as intranets.
     * who  the  certificate  is  issued  to  - The certificate should be
       issued to the organization who owns the web site. Do not trust the
       certificate if the name on the certificate does not match the name
       of the organization or person you expect.
     * expiration  date  -  Most  certificates  are issued for one or two
       years.  One  exception  is  the  certificate  for  the certificate
       authority  itself,  which,  because  of  the amount of involvement
       necessary   to   distribute   the   information   to  all  of  the
       organizations who hold its certificates, may be ten years. Be wary
       of  organizations with certificates that are valid for longer than
       two years or with certificates that have expired.

   When  visiting  a  web site, you may have been presented with a dialog
   box that claims that there is an error with the site certificate. This
   may happen if the name the certificate is registered to does not match
   the site name, you have chosen not to trust the company who issued the
   certificate,  or  the  certificate  has  expired.  You will usually be
   presented  with the option to examine the certificate, after which you
   can accept the certificate forever, accept it only for that particular
   visit,  or choose not to accept it. The confusion is sometimes easy to
   resolve (perhaps the certificate was issued to a particular department
   within  the  organization  rather  than  the name on file). If you are
   unsure  whether  the  certificate is valid or question the security of
   the  site, do not submit personal information. Even if the information
   is  encrypted,  make  sure  to  read the organization's privacy policy
   first  so  that you know what is being done with that information (see
   Protecting Your Privacy for more information).
   _________________________________________________________________

   Authors: Mindi McDowell, Matt Lytle    
   _________________________________________________________________

    Produced 2005 by US-CERT, a government organization.

    Note: This tip was previously published and is being re-distributed 
    to increase awareness. 
  
    Terms of use
 
    <http://www.us-cert.gov/legal.html>
  
    This document can also be found at
 
    <http://www.us-cert.gov/cas/tips/ST05-010.html>
 

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
     
     
     

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBSCsj0/RFkHkM87XOAQJhqAf/UC9YCLeYqJD8JcQXPIVldUoePjP9SHrI
JglAmYqxfzptQu0xDGewpsiSF/O7Dre0Q4onLyZJOUggVSYp53+pSMsg6baFLxsj
0z57qsx59kOuhHR4e04+bagxS4Gqp1CJkXhfdWphYexClHC5vO7j+himWldwWtYo
938+3jZPobjVi+aifd0ojDdxQ6Co5klH0h7BKcQ80D1yXGdPilhKlWL9OYkgrsC0
Lus+KAa7HOpBaBvbYQ4FA6PYFzucafzGoob6xmt5WxlEKDOWgpdPihhjxBZG/P7a
hKB73qgB+ydzokrd8nE2v91Eio9a20VBhnYkbkqvvmCfM3RZmv/b8A==
=dyW1
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux