Site
Management
Index
Contributed by andyatbesy.co.uk
Print 
Email
SSL and Security Certificates
SSL (secure sockets layer) is an encryption standard that is implemented by many widely used web-servers as the HTTPS protocol for use over the web. The HTTPS protocol is most commonly used by e-commerce websites to protect against traditional man in the middle attacks on security.
In this type of attack the attacker attempts to capture data as it is transmitted over the wire between the client and server. Where the HTTPS protocol is used the attacker may still be able to capture the transmission, but they will not have the key necessary to decrypt the data transmitted.
Introduction to Security Certificates
When establishing an HTTPS connection to a server the client must first supply the server with the key that it will use to decrypt the transmission.
HTTPS is therefore only useful where the server has a security certificate that can be used to verify its identity before the key is supplied. Security certificates are typically issued by a trusted certificate authority that is assumed to have verified the identity of the server by conventional means.
When establishing an HTTPS connection to a server with a valid security certificate the client may initially examine the credentials of the certificate in order to verify the server's identity. The client may then choose to permanently accept the certificate, avoiding warnings when establishing a connection in future.
Should a problem arise with the validity of the server's security certificate in future then the client will be warned and will have the opportunity to cancel the connection before sensitive information is transmitted to an unknown destination.
Commonly encountered problems with security certificate validity are described below.
Expired Certificates
Because a server's identity can change over time security certificates usually remain valid only for a year. The server's identity must then be re-verified, a new certificate issued, and the old certificate replaced with the new one.
If a client attempts to establish a HTTPS connection to a server with an expired certificate then warnings will be generated each time the client attempts to connect.
Note that expired security certificate warnings can also be caused by an incorrectly set date or time on the connecting client's operating system.
Invalid Server Name
One of the credentials specified on the certificate is the DNS name (web-address) of the server.
If a client attempts to establish a HTTPS connection to a server on a DNS name that is different than the DNS name specified in the security certificate then warnings will be generated each time the client attempts to connect.
Certificate Signed by an Unknown Authority
The client can only trust a server's security certificate to accurately describe the identity of a server if it trusts the certificate authority that has issued and signed the certificate.
If a client attempts to establish a HTTPS connection to a server with a certificate that has been signed by an unknown certificate authority, or has not been signed by any certificate authority (a self-signed certificate) then warnings will be generated each time the client attempts to connect.
SSL and Security Certificates
Comments, suggestions etc are welcomed by email to andyatbesy.co.uk
Original available at http://www.besy.co.uk/
Document last updated on 02/08/2005