-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cyber Security Tip ST05-010
Understanding Web Site Certificates
You may have been exposed to web site, or host, certificates if you have
ever clicked on the padlock in your browser or, when visiting a web site,
have been presented with a dialog box claiming that there is an error with
the name or date on the certificate. Understanding what these certificates
are may help you protect your privacy.
What are web site certificates?
If an organization wants to have a secure web site that uses encryption, it
needs to obtain a site, or host, certificate. There are two elements that
indicate that a site uses encryption (see Protecting Your Privacy for more
information):
* a closed padlock, which, depending on your browser, may be located in
the status bar at the bottom of your browser window or at the top of the
browser window between the address and search fields
* a URL that begins with "https:" rather than "http:"
By making sure a web site encrypts your information and has a valid
certificate, you can help protect yourself against attackers who create
malicious sites to gather your information. You want to make sure you know
where your information is going before you submit anything (see Avoiding
Social Engineering and Phishing Attacks for more information).
If a web site has a valid certificate, it means that a certificate authority
has taken steps to verify that the web address actually belongs to that
organization. When you type a URL or follow a link to a secure web site,
your browser will check the certificate for the following characteristics:
1. the web site address matches the address on the certificate
2. the certificate is signed by a certificate authority that the browser
recognizes as a "trusted" authority
If the browser senses a problem, it may present you with a dialog box that
claims that there is an error with the site certificate. This may happen if
the name the certificate is registered to does not match the site name, if
you have chosen not to trust the company who issued the certificate, or if
the certificate has expired. You will usually be presented with the option
to examine the certificate, after which you can accept the certificate
forever, accept it only for that particular visit, or choose not to accept
it. The confusion is sometimes easy to resolve (perhaps the certificate was
issued to a particular department within the organization rather than the
name on file). If you are unsure whether the certificate is valid or
question the security of the site, do not submit personal information. Even
if the information is encrypted, make sure to read the organization's
privacy policy first so that you know what is being done with that
information (see Protecting Your Privacy for more information).
Can you trust a certificate?
The level of trust you put in a certificate is connected to how much you
trust the organization and the certificate authority. If the web address
matches the address on the certificate, the certificate is signed by a
trusted certificate authority, and the date is valid, you can be more
confident that the site you want to visit is actually the site that you are
visiting. However, unless you personally verify that certificate's unique
fingerprint by calling the organization directly, there is no way to be
absolutely sure.
When you trust a certificate, you are essentially trusting the certificate
authority to verify the organization's identity for you. However, it is
important to realize that certificate authorities vary in how strict they
are about validating all of the information in the requests and about making
sure that their data is secure. By default, your browser contains a list of
more than 100 trusted certificate authorities. That means that, by
extension, you are trusting all of those certificate authorities to properly
verify and validate the information. Before submitting any personal
information, you may want to look at the certificate.
How do you check a certificate?
There are two ways to verify a web site's certificate in Internet Explorer
or Firefox. One option is to click on the padlock icon. However, your
browser settings may not be configured to display the status bar that
contains the icon. Also, attackers may be able to create malicious web sites
that fake a padlock icon and display a false dialog window if you click that
icon. A more secure way to find information about the certificate is to look
for the certificate feature in the menu options. This information may be
under the file properties or the security option within the page
information. You will get a dialog box with information about the
certificate, including the following:
* who issued the certificate - You should make sure that the issuer is a
legitimate, trusted certificate authority (you may see names like
VeriSign, thawte, or Entrust). Some organizations also have their own
certificate authorities that they use to issue certificates to internal
sites such as intranets.
* who the certificate is issued to - The certificate should be issued to
the organization who owns the web site. Do not trust the certificate if
the name on the certificate does not match the name of the organization
or person you expect.
* expiration date - Most certificates are issued for one or two years. One
exception is the certificate for the certificate authority itself,
which, because of the amount of involvement necessary to distribute the
information to all of the organizations who hold its certificates, may
be ten years. Be wary of organizations with certificates that are valid
for longer than two years or with certificates that have expired.
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed to increase awareness.
Terms of use
http://www.us-cert.gov/legal.html
This document can also be found at
http://www.us-cert.gov/cas/tips/ST05-010.html
For instructions on subscribing to or unsubscribing from this
mailing list, visit
http://www.us-cert.gov/cas/signup.html.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBTCJG6z6pPKYJORa3AQIuCwf/cyo0L+2a6NJ2O2v7bCXrtgLwKG2NvNS8
3HONR+gCnpTN4jJ/Pr3TGcukp0bk75g24WNwVWDhJwklGuO2vfjwpl1LFaQwSwaO
47h5JEMiYaH5jZdYZ4JpjtOf+Yy+gVYCg9P9PXV1eoVsPeR9AMbJlnwapPBQ3Ptn
yaYIgnbWSLmHpnzGlczK5+pfDGsLKVY5MsmUPb0oPzuMRfryqWBkcDp1xGeK56N9
D7j1994lQnN3CbGrGXj/XkpOhSQSj7QYSos8w3fmhu/+z8BtQspGbdItgl5irPGm
Joe6CxHBcHvMUZLlsj3nrwykRgUDITvKXyQCF2wLil3phyLPvaWEzA==
=rsfH
-----END PGP SIGNATURE-----
