CERT mailing list archives

Previous By Date Next
Previous By Thread Next

Cyber Security Tip ST05-010 -- Understanding Web Site Certificates

From: US-CERT Security Tips <security-tips () us-cert gov>
Date: Wed, 23 Jun 2010 13:41:48 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                         Cyber Security Tip ST05-010
                     Understanding Web Site Certificates

   You may have been exposed to web site, or host, certificates if you have
   ever clicked on the padlock in your browser or, when visiting a web site,
   have been presented with a dialog box claiming that there is an error with
   the name or date on the certificate. Understanding what these certificates
   are may help you protect your privacy.

What are web site certificates?

   If an organization wants to have a secure web site that uses encryption, it
   needs to obtain a site, or host, certificate. There are two elements that
   indicate that a site uses encryption (see Protecting Your Privacy for more
   information):
     * a closed padlock, which, depending on your browser, may be located in
       the status bar at the bottom of your browser window or at the top of the
       browser window between the address and search fields
     * a URL that begins with "https:" rather than "http:"

   By  making  sure  a web site encrypts your information and has a valid
   certificate, you can help protect yourself against attackers who create
   malicious sites to gather your information. You want to make sure you know
   where your information is going before you submit anything (see Avoiding
   Social Engineering and Phishing Attacks for more information).

   If a web site has a valid certificate, it means that a certificate authority
   has taken steps to verify that the web address actually belongs to that
   organization. When you type a URL or follow a link to a secure web site,
   your browser will check the certificate for the following characteristics:
    1. the web site address matches the address on the certificate
    2. the certificate is signed by a certificate authority that the browser
       recognizes as a "trusted" authority

   If the browser senses a problem, it may present you with a dialog box that
   claims that there is an error with the site certificate. This may happen if
   the name the certificate is registered to does not match the site name, if
   you have chosen not to trust the company who issued the certificate, or if
   the certificate has expired. You will usually be presented with the option
   to examine the certificate, after which you can accept the certificate
   forever, accept it only for that particular visit, or choose not to accept
   it. The confusion is sometimes easy to resolve (perhaps the certificate was
   issued to a particular department within the organization rather than the
   name  on  file). If you are unsure whether the certificate is valid or
   question the security of the site, do not submit personal information. Even
   if  the information is encrypted, make sure to read the organization's
   privacy  policy  first  so  that you know what is being done with that
   information (see Protecting Your Privacy for more information).

Can you trust a certificate?

   The level of trust you put in a certificate is connected to how much you
   trust the organization and the certificate authority. If the web address
   matches the address on the certificate, the certificate is signed by a
   trusted  certificate authority, and the date is valid, you can be more
   confident that the site you want to visit is actually the site that you are
   visiting. However, unless you personally verify that certificate's unique
   fingerprint by calling the organization directly, there is no way to be
   absolutely sure.

   When you trust a certificate, you are essentially trusting the certificate
   authority to verify the organization's identity for you. However, it is
   important to realize that certificate authorities vary in how strict they
   are about validating all of the information in the requests and about making
   sure that their data is secure. By default, your browser contains a list of
   more  than  100  trusted  certificate authorities. That means that, by
   extension, you are trusting all of those certificate authorities to properly
   verify  and  validate  the information. Before submitting any personal
   information, you may want to look at the certificate.

How do you check a certificate?

   There are two ways to verify a web site's certificate in Internet Explorer
   or  Firefox. One option is to click on the padlock icon. However, your
   browser  settings may not be configured to display the status bar that
   contains the icon. Also, attackers may be able to create malicious web sites
   that fake a padlock icon and display a false dialog window if you click that
   icon. A more secure way to find information about the certificate is to look
   for the certificate feature in the menu options. This information may be
   under  the  file  properties  or  the  security option within the page
   information.  You  will  get  a  dialog box with information about the
   certificate, including the following:
     * who issued the certificate - You should make sure that the issuer is a
       legitimate,  trusted certificate authority (you may see names like
       VeriSign, thawte, or Entrust). Some organizations also have their own
       certificate authorities that they use to issue certificates to internal
       sites such as intranets.
     * who the certificate is issued to - The certificate should be issued to
       the organization who owns the web site. Do not trust the certificate if
       the name on the certificate does not match the name of the organization
       or person you expect.
     * expiration date - Most certificates are issued for one or two years. One
       exception is the certificate for the certificate authority itself,
       which, because of the amount of involvement necessary to distribute the
       information to all of the organizations who hold its certificates, may
       be ten years. Be wary of organizations with certificates that are valid
       for longer than two years or with certificates that have expired.
     _________________________________________________________________

     Authors: Mindi McDowell, Matt Lytle
     _________________________________________________________________

     Produced 2005 by US-CERT, a government organization.

     Note: This tip was previously published and is being
     re-distributed to increase awareness.

     Terms of use

     http://www.us-cert.gov/legal.html

     This document can also be found at

     http://www.us-cert.gov/cas/tips/ST05-010.html

     For instructions on subscribing to or unsubscribing from this
     mailing list, visit 

     http://www.us-cert.gov/cas/signup.html.






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTCJG6z6pPKYJORa3AQIuCwf/cyo0L+2a6NJ2O2v7bCXrtgLwKG2NvNS8
3HONR+gCnpTN4jJ/Pr3TGcukp0bk75g24WNwVWDhJwklGuO2vfjwpl1LFaQwSwaO
47h5JEMiYaH5jZdYZ4JpjtOf+Yy+gVYCg9P9PXV1eoVsPeR9AMbJlnwapPBQ3Ptn
yaYIgnbWSLmHpnzGlczK5+pfDGsLKVY5MsmUPb0oPzuMRfryqWBkcDp1xGeK56N9
D7j1994lQnN3CbGrGXj/XkpOhSQSj7QYSos8w3fmhu/+z8BtQspGbdItgl5irPGm
Joe6CxHBcHvMUZLlsj3nrwykRgUDITvKXyQCF2wLil3phyLPvaWEzA==
=rsfH
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: