SSL Part 2: Certificate Authorities

In the last issue, May 2010, I described how SSL works. Following that I wrote an article recommending OpenDNS for your DNS service to prevent DNS hijacking, and using the Witopia Personal Open VPN service to setup secure connections while outside your home or office.

A properly working SSL or VPN connection will: 1. Authenticate that you are connecting to who you think you are connecting to 2. Encrypt the traffic between you and the source so no one can see it 3. Make the messages tamper proof, so no one can change them.

It will do this even if someone is watching all the traffic going between you and the bank, email provider or store.

The Weak Link

The weakest part of this system is the Certificate Authority. Did they really verify that the website you are connecting to is who they say they are? Was the Certificate Authority corrupted? To make this system work, you have to trust the Certificate Authority. You can see which authorities Microsoft trusts for you by opening Control Panel, then Internet Options (or Network and Internet Connections then Internet Options if you are in the category view), and selecting Content then View Publishers.

You'll find a very long list including lots of countries and other organizations you probably don't really want to trust.

Of interest also is the Untrusted Publishers tab. Verisign, a well trusted authority, issued a two certificates to some people claiming to be Microsoft Corporation, but they weren't. Those are the two in the Untrusted Publishers tab.

Mozilla, doesn't trust anywhere near as many as Microsoft, but still, there are a lot.

Clearly, with so many authorities, some will get fooled or corrupted. Furthermore, they can and do issue subordinate Certificate Authority power to other organizations. There are machines which governments put in ISPs' offices which will intercept communications and make an authentic certificate on the fly under the auspices of a coerced Certificate Authority. If the government can do it, other criminals cannot be far behind!

What Can You Do?

The problem really is change. If you have been banking with your bank for awhile and you have a certificate from them, then the problem really exists when that certificate changes. What you should worry about, is going somewhere and having a new certificate being used by someone claiming to be your bank or other trusted source.

I use a Firefox Add-On called Certificate Patrol which presents new certificates to you for examination and when a certificate changes will present both the old one and the new one and comment on the possible dangers or lack of danger. For example, on a recent visit to Audible, Certificate Patrol presented this to me.

It is showing both the old certificate and the new one. You'll notice that the certificate authority remained the same and the certificate was approaching its expiration date, so Audible renewed it for one more year. They point out at the top that this is normal and unlikely to be dangerous. If the old certificate wasn't about to expire and the Certificate Authority changed, then I'd probably have logged off and called them.
Certificate Patrol will show you each certificate once, but after it has the certificate in its own database, you'll only be presented with certificates when something changes. I use it on both my netbook and my desktop computers.

Date: July 2010

This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		SSL Part 2: Certificate Authorities In the last issue, May 2010, I described how SSL works. Following that I wrote an article recommending OpenDNS for your DNS service to prevent DNS hijacking, and using the Witopia Personal Open VPN service to setup secure connections while outside your home or office. A properly working SSL or VPN connection will: 1. Authenticate that you are connecting to who you think you are connecting to 2. Encrypt the traffic between you and the source so no one can see it 3. Make the messages tamper proof, so no one can change them. It will do this even if someone is watching all the traffic going between you and the bank, email provider or store. The Weak Link The weakest part of this system is the Certificate Authority. Did they really verify that the website you are connecting to is who they say they are? Was the Certificate Authority corrupted? To make this system work, you have to trust the Certificate Authority. You can see which authorities Microsoft trusts for you by opening Control Panel, then Internet Options (or Network and Internet Connections then Internet Options if you are in the category view), and selecting Content then View Publishers. You'll find a very long list including lots of countries and other organizations you probably don't really want to trust. Of interest also is the Untrusted Publishers tab. Verisign, a well trusted authority, issued a two certificates to some people claiming to be Microsoft Corporation, but they weren't. Those are the two in the Untrusted Publishers tab. Mozilla, doesn't trust anywhere near as many as Microsoft, but still, there are a lot. Clearly, with so many authorities, some will get fooled or corrupted. Furthermore, they can and do issue subordinate Certificate Authority power to other organizations. There are machines which governments put in ISPs' offices which will intercept communications and make an authentic certificate on the fly under the auspices of a coerced Certificate Authority. If the government can do it, other criminals cannot be far behind! What Can You Do? The problem really is change. If you have been banking with your bank for awhile and you have a certificate from them, then the problem really exists when that certificate changes. What you should worry about, is going somewhere and having a new certificate being used by someone claiming to be your bank or other trusted source. I use a Firefox Add-On called Certificate Patrol which presents new certificates to you for examination and when a certificate changes will present both the old one and the new one and comment on the possible dangers or lack of danger. For example, on a recent visit to Audible, Certificate Patrol presented this to me. It is showing both the old certificate and the new one. You'll notice that the certificate authority remained the same and the certificate was approaching its expiration date, so Audible renewed it for one more year. They point out at the top that this is normal and unlikely to be dangerous. If the old certificate wasn't about to expire and the Certificate Authority changed, then I'd probably have logged off and called them. Certificate Patrol will show you each certificate once, but after it has the certificate in its own database, you'll only be presented with certificates when something changes. I use it on both my netbook and my desktop computers. Date: July 2010 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk