Are you Using or Abusing Digital Certificates?

Are you Using or Abusing Digital Certificates?

Digital certificates were originally designed to help authenticate, provide non repudiation, and to sometimes ensure integrity and confidentiality for written communication.  They of course became the rage for securing Internet based transactions.

Today some people take for granted that digital certificates are intrinsic to any web based transaction and that the transactions are therefore safe.  But are the transactions safe?  By the way I stand corrected – I just did a quick pole of 10 people who regularly do e-transactions on the Internet and one of the ten even knew the existence of digital certificates.

Here is what digital certificates are and how they work.  Digital certificates are electronic documents, much like an electronic version of a passport.  In fact they contain very similar boiler plate information about both the owner and the issuer of the certificate.  The issuer is hopefully a certificate authority, analogous to an issuing Country of a passport, which is widely recognized and in whom everybody else has complete confidence.

The digital certificate also contains a secret known, again hopefully, only to the certificate owner and to the issuer.  The secret is called a private password.  The certificate authority also publishes a public key or password for every certificate holder.  Both the public and private keys used only together can unlock the secrets otherwise encrypted by one of the keys.

For example, if Bob wants to send a confidential email to Sally, then Bob would encrypt the email with Bob’s private key and then again with Sally’s public key.  Sally would decrypt Bob’s email with Bob’s public key and with her secret private key.  Bob’s public key will only decrypt emails from Bob, and Sally’s private key will only decrypt emails encrypted with her public key.   So confidentiality and fairly strong authentication of sender is provided.

Another example.  If Bob wanted to send an open email to many people, but needed everybody to be sure that Bob was the sender, Bob would encrypt with his private key and anybody receiving the email would decrypt and read it with Bob’s public key.  Bob must have been the sender, so authentication of sender is provided to some degree. 

Online vendors use digital certificates in combination with the SSL protocol for their encryption algorithm, in order to protect the validity, integrity, and confidentiality of each transaction.  Any visitor to a validly secured online e-transaction site should be able to view the associated digital certificate including details of the hashing algorithm used to protect their transaction.  In this case, the validation only goes in one direction; only the transaction site is identifying itself conclusively to any visitor.

Yikes!  SSL Meltdowns

We’ve probably all read about a recent SSL certificate validation problem stemming from a hashing algorithm.  This is not the first problem with  SSL.  There was a doozey in 2009.  And in 2008.  And so on.  Each time there is a problem, someone finds a resolution, such as changing a hashing algorithm.

Whether industry uses SSL or TLS there will undoubtedly be developing security vulnerabilities and remediation for them.

The big issue is how to take reasonable precautions to protect ones-self from SSL meltdowns.  Here is a simple precautionary SSL check-list.

* Do verify the URL you are visiting is what you expected and not a similar URL with slashes and asterisks where they don’t belong.

* If in doubt phone the vendor’s or site.

* Do take the time to verify the digital certificate  on a web site.

* If in doubt, research the certificate  authority.

Remember that not all portions of a web site are secured with SSL.  Users can stray to an unprotected area of a site.

Have a secure week.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2010 IDG Communications, Inc.