US-CERT Cyber Security Tip

[Guest MEB]

US-CERT Cyber Security Tip ST05-010 -- Understanding Web Site Certificates

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

Cyber Security Tip ST05-010

Understanding Web Site Certificates

 

You may have been exposed to web site, or host, certificates if you

have ever clicked on the padlock in your browser or, when visiting a

web site, have been presented with a dialog box claiming that there is

an error with the name or date on the certificate. Understanding what

these certificates are may help you protect your privacy.

 

What are web site certificates?

 

If an organization wants to have a secure web site that uses

encryption, it needs to obtain a site, or host, certificate. Some

steps you can take to help determine if a site uses encryption are to

look for a closed padlock in the status bar at the bottom of your

browser window and to look for "https:" rather than "http:" in the URL

(see Protecting Your Privacy for more information). By making sure a

web site encrypts your information and has a valid certificate, you

can help protect yourself against attackers who create malicious sites

to gather your information. You want to make sure you know where your

information is going before you submit anything (see Avoiding Social

Engineering and Phishing Attacks for more information).

 

If a web site has a valid certificate, it means that a certificate

authority has taken steps to verify that the web address actually

belongs to that organization. When you type a URL or follow a link to

a secure web site, your browser will check the certificate for the

following characteristics:

1. the web site address matches the address on the certificate

2. the certificate is signed by a certificate authority that the

browser recognizes as a "trusted" authority

 

Can you trust a certificate?

 

The level of trust you put in a certificate is connected to how much

you trust the organization and the certificate authority. If the web

address matches the address on the certificate, the certificate is

signed by a trusted certificate authority, and the date is valid, you

can be more confident that the site you want to visit is actually the

site that you are visiting. However, unless you personally verify that

certificate's unique fingerprint by calling the organization directly,

there is no way to be absolutely sure.

 

When you trust a certificate, you are essentially trusting the

certificate authority to verify the organization's identity for you.

However, it is important to realize that certificate authorities vary

in how strict they are about validating all of the information in the

requests and about making sure that their data is secure. By default,

your browser contains a list of more than 100 trusted certificate

authorities. That means that, by extension, you are trusting all of

those certificate authorities to properly verify and validate the

information. Before submitting any personal information, you may want

to look at the certificate.

 

How do you check a certificate?

 

There are two ways to verify a web site's certificate in Internet

Explorer or Mozilla. One option is to click on the padlock in the

status bar of your browser window. However, your browser may not

display the status bar by default. Also, attackers may be able to

create malicious web sites that fake a padlock icon and display a

false dialog window if you click that icon. A more secure way to find

information about the certificate is to look for the certificate

feature in the menu options. This information may be under the file

properties or the security option within the page information. You

will get a dialog box with information about the certificate,

including the following:

* who issued the certificate - You should make sure that the issuer

is a legitimate, trusted certificate authority (you may see names

like VeriSign, thawte, or Entrust). Some organizations also have

their own certificate authorities that they use to issue

certificates to internal sites such as intranets.

* who the certificate is issued to - The certificate should be

issued to the organization who owns the web site. Do not trust the

certificate if the name on the certificate does not match the name

of the organization or person you expect.

* expiration date - Most certificates are issued for one or two

years. One exception is the certificate for the certificate

authority itself, which, because of the amount of involvement

necessary to distribute the information to all of the

organizations who hold its certificates, may be ten years. Be wary

of organizations with certificates that are valid for longer than

two years or with certificates that have expired.

 

When visiting a web site, you may have been presented with a dialog

box that claims that there is an error with the site certificate. This

may happen if the name the certificate is registered to does not match

the site name, you have chosen not to trust the company who issued the

certificate, or the certificate has expired. You will usually be

presented with the option to examine the certificate, after which you

can accept the certificate forever, accept it only for that particular

visit, or choose not to accept it. The confusion is sometimes easy to

resolve (perhaps the certificate was issued to a particular department

within the organization rather than the name on file). If you are

unsure whether the certificate is valid or question the security of

the site, do not submit personal information. Even if the information

is encrypted, make sure to read the organization's privacy policy

first so that you know what is being done with that information (see

Protecting Your Privacy for more information).

_________________________________________________________________

 

Authors: Mindi McDowell, Matt Lytle

_________________________________________________________________

 

Produced 2005 by US-CERT, a government organization.

 

Note: This tip was previously published and is being re-distributed

to increase awareness.

 

Terms of use

 

<http://www.us-cert.gov/legal.html>

 

This document can also be found at

 

<http://www.us-cert.gov/cas/tips/ST05-010.html>

 

 

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

 

 

 

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.1 (GNU/Linux)

 

iQEVAwUBSCsj0/RFkHkM87XOAQJhqAf/UC9YCLeYqJD8JcQXPIVldUoePjP9SHrI

JglAmYqxfzptQu0xDGewpsiSF/O7Dre0Q4onLyZJOUggVSYp53+pSMsg6baFLxsj

0z57qsx59kOuhHR4e04+bagxS4Gqp1CJkXhfdWphYexClHC5vO7j+himWldwWtYo

938+3jZPobjVi+aifd0ojDdxQ6Co5klH0h7BKcQ80D1yXGdPilhKlWL9OYkgrsC0

Lus+KAa7HOpBaBvbYQ4FA6PYFzucafzGoob6xmt5WxlEKDOWgpdPihhjxBZG/P7a

hKB73qgB+ydzokrd8nE2v91Eio9a20VBhnYkbkqvvmCfM3RZmv/b8A==

=dyW1

-----END PGP SIGNATURE-----