- Original image from: https://www.jpao.es/wp-content/uploads/2015/10/seguridad.jpg
Have you ever wondered why or who makes the little padlock in the url bar before the url of a web page?
Let´s be a little objective, related with one of my pasts post I touched the topic of doing software engineering with an ACM code of ethics for Sofware Engineering. Allright then, one of the principal areas disscussed then were about the rights of the end user and the professional.
Today we are going to talk about the security certificate, what are they and if you can trust one.
Thanks in advance to United States Computer Emergency Readiness team at: https://www.us-cert.gov/ncas/tips/ST05-010
What are web site certificates?
If an organization wants to have a secure web site that uses encryption, it needs to obtain a site, or host, certificate. There are two elements that indicate that a site uses encryption (seeProtecting Your Privacy for more information):
- a closed padlock, which, depending on your browser, may be located in the status bar at the bottom of your browser window or at the top of the browser window between the address and search fields
- a URL that begins with “https:” rather than “http:”
By making sure a web site encrypts your information and has a valid certificate, you can help protect yourself against attackers who create malicious sites to gather your information. You want to make sure you know where your information is going before you submit anything (see Avoiding Social Engineering and Phishing Attacks for more information).
If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser
check the certificate for the following characteristics:
-
the web site address matches the address on the certificate
-
the certificate is signed by a certificate authority that the browser recognizes as a “trusted” authority
In case there is a problem with the certificate the browser will inform you an give you an advice that you are entered in a “insecure” area. The cause may be as simple as the expiration date of the certificate have reached the limit or maybe the name registered with the certificate does not match with the name of tha page that is presented in the screen.
Whatever the cause is, something like this will appear in your screen to help advice you:
- Original at: http://www.technipages.com/wp-content/uploads/2015/07/IE-problem-with-website-security-certificate.png
Other reasons of this can be that the web site is not certified by a trusted or registered company.
Can you trust a certificate?
The level of trust you put in a certificate is connected to how much you trust the organization and the certificate authority. If the web address matches the address on the certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident that the site you want to visit is actually the site that you are visiting. However, unless you personally verify that certificate’s unique fingerprint by calling the organization directly, there is no way to be absolutely sure.
When you trust a certificate, you are essentially trusting the certificate authority to verify the organization’s identity for you.
How do you check a certificate?
There are two ways to verify a web site’s certificate in Internet Explorer or Firefox. One option is to click on the padlock icon. However, your browser settings may not be configured to display the status bar that contains the icon. Also, attackers may be able to create malicious web sites that fake a padlock icon and display a false dialog window if you click that icon. A more secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information. You will get a dialog box with information about the certificate, including the following:
-
who issued the certificate – You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.
-
who the certificate is issued to – The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
-
expiration date – Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.
In almost any browser you can check the specific data of the security certificate by clicking on the padlock near to the url address. Please keep in mind that many of the web sites that we visit every day are public and free, this does not gives them the option or the need to be certified by a company. Moreover, if you enter in pages like Facebook, Twitter, Outlook (or any other mail service) and bank web pages thy must be certified with a valid certificate.
Most of the time, the people that want your credit card ID or your accounts information create sites like the original ones, only as a Honeycombs, to distract people and let them enter their credentials with the risk of being cheated.
Be careful of what where and how you use the web.
