Are You Certain about that Certificate?
You're sailing along on the Internet, doing some virtual window-shopping, when you find the perfect doodad for that project you're working on. You toss it in your shopping cart, head for the check out and the following message pops up:
What would you do?
A. Click on OK to get rid of the annoying pop up and buy that doodad while it's still available.
B. Click CANCEL and reconsider if you really need the doodad from this site.
C. Click on
"Examine Certificate" for more information, and if you then feel confident about the web site, click "Accept this certificate temporarily for this session" and click OK.
Hopefully you'd take the opportunity to check out the certificate and learn more about the site where you're about to enter your credit card number.
But what can you learn from a certificate? What is it, and how does it work? I'm glad you asked.
A PKI Primer
A digital certificate (cert) is an electronic file which contains personal information about its owner as well as the owner's public key. A cert is often compared to an electronic version of a driver's license or passport, used to establish a web site owner's credentials when transactions on the Internet must be secured.
In public key cryptography, each owner gets a pair of linked electronic keys: a private key, which is kept secret, and a public key, which is published and available to all. Using these keys, two communicating parties can safeguard information while stored or in transit. The sender encrypts, or scrambles, information before sending it. The receiver then decrypts the information after receiving it.
A Public Key Infrastructure (PKI) provides for the creation and distribution of public keys cryptography, making secure electronic transactions and exchanges of sensitive information over the Internet possible.
 A digital certificate normally includes the name, serial number, expiration dates, and a copy of the cert holder's public key (used for encrypting and decrypting messages and for verifying digital signatures). The cert also contains the digital signature of the certificate-issuing authority, i.e., the trusted third party often referred to as the Certificate Authority, or CA.
As part of a PKI, a CA will check with a Registration Authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate.
SSL (Secure Socket Layer), and its successor TLS (Transport Layer Security)
employ certs to verify the authenticity of the server. SSL and TLS are cryptographic protocols that provide secure communications
on the Internet for such things as web browsing, email, instant messaging and other data transfers.
(See SSL/TSL links below for an overview of SSL, certs and the "handshaking" process.)
Digital Certificates at Brown
CIS has made an arrangement with GeoTrust for issuing digital certificates. Requests are made through the Help Desk (or directly, using Remedy's IT Security Request schema) and managed by the office of Computing Accounts and Passwords (CAP).
For a typical request, a ticket is opened, specifying whether the certificate is new or a renewal, the time period it should cover, department name, and account number to be charged. (Cost varies per length of certificate life and authentication level. A typical one year cert costs around $100).
eDid I send you the prices because you have that a one year was $300 and the cost for us is: $105.
Below are the prices for more then one year:
2 years $184.00
3 years 262.00
4 years 341.00
5 years 420.00
CAP staff work directly with GeoTrust to handle the request, verifying information before approving the request. The generated cert is then sent to the requestor. Here is an example:
-----BEGIN CERTIFICATE REQUEST-----
MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFJob2RlIElzbGFu
ZDETMBEGA1UEBxMKUHJvdmlkZW5jZTEZMBcGA1UEChMQQnJvd24gVW5pdmVyc2l0
eTEMMAoGA1UECxMDQ0lTMRswGQYDVQQDExJ3ZWJldmVudC5icm93bi5lZHUwgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMKtvG9oXg/17LQA+tDB1q5a2kNODhKJ
XSU3cHsPPSUQlHH/yWZHZzx2ahtowAAY+ijvK2QpmiCfeJxrHFwL07FQFFkF5zn+
eXfrzUY23bWAftQpcXz6o7QHmWF1e11ClCW3kXwRnSp+xpUb1azz0soGpy+UH7ux
YL/R1IVMh33vAgMBAAGgADANBgkqhkiG9w0BAQQFAAOBgQBUW0d+FwgktCd83WEa
bL+f13okQlKEAgA2mUpzO4NwUev+p2MHBDkGo53lxoSDcMJ1nHoSSCGsume7M7WY
bW54erq4taRyYpNBc5nHv29QwNTsNyLyfrKWD88lET/oHcKlySdt1svT+ucpbLup
ncGsrheSLPczsfagpsTkJCw9FA==
-----END CERTIFICATE REQUEST-----
GeoTrust certs have an end-of-life notification feature. The product will begin sending notifications 90 days out from an expiration date to the technical contact. If no action is taken, notifications will be sent to admin, tech and billing contacts at ongoing intervals. For more information about arranging for a GeoTrust certificate, write to webcerts@brown.edu.
Lessons Learned
So in summary, if a pop-up "warning" appears as you attempt to access a secure web site, be wary. It IS a warning. The cert's authenticity is not valid for some reason. It may be just expired, but in any case, you should find out what the problem is before proceeding. Safe surfing!
Sources & Resources:
|
