Saturday, May 22, 2010

Web security and SSL certificates

You may recognize secure web sites by the fact that their URL starts with https://, or by a little lock icon in the address bar or on the bottom of your browser window. Maybe the URL location bar turns green when it's "safe" - when a third party has verified that the server you're communicating with is at the address you expect. This weak authentication regime is implemented using SSL certificates, little pieces of data which are badges handed out by third parties to server operators,for a fee. Each certificate contains the name of the domain or host name the server is handling, and a digital signature by a company such as Verisign, GoDaddy, AC Camerfima, or TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı. In Firefox you can see the list of trusted third parties by choosing (Edit or Tools)->Preferences->Advanced->Encryption(tab)->View Certificates. These are the companies you and your browser are trusting to authenticate web sites around the world.

How do you know they can all be trusted? Wired magazine has an interesting article about certificate spoofing. If you are not careful about checking the name on each certificate at each site, your browser won't tell you if it's necessarily a good one; all it knows is that the certificate was signed by an entity it trusts. Some entities have embedded their certificates in network-level devices so the devices can spoof certificates from any site you're visiting. With that, the device and its owner can intercept all the traffic between you and the site you suppose is secure, maybe your bank or GMail.

You can fight back, a bit, if you have Firefox. There's an extension called petname which lets you "tag" certificates from sites you've verified. If you visit Google's mail site and petname doesn't recognize the certificate, it'll warn you, and you should be suspicious or at least extra careful. The alternative is to check every certificate for every secure site - and memorize the issuer for each. Not really an easy task.

Remember, SSL and browser security aren't enough! It's all based on trust. So verify!

1 comments:

Frank said...
This comment has been removed by a blog administrator.

Post a Comment