Tuesday, October 11, 2016

"There is a problem with this website's security certificate"

First some information on cryptography

1-2-3-4.
Cryptography (check Wikipedia for further information) for this article:
 1. Hashing
 2. Stenography
 3. Symmetric (shared key) encryption
 4. Asymmetric (public / private keys) encryption.

 I will cover the first two in a later article.

 For encryption:
  1. Encryption algorithm (method)
  2. Encryption key(s)
  3. Clear text (message)
  4. Cipher text (encrypted message Symmetric encryption (shared secret/key).

 Bob and Alice want to communicate without Eve being able to determine the message. Bob and Alice agree on one key/secret and an algorithm (method). A large number of methods are available.

Methods for block ciphers, stream ciphers, etc. Problem is scale. Add additional parties to the shared secret… secret harder to keep, harder to communicate and keep current the secret key, etc.

 Asymmetric encryption uses two keys. One encrypts the cipher text the other has encrypted, but not the cipher text it has encrypted. One is chosen to be a “public” key, the other a “private” key. Now Bob and Alice communicate with a combination of both of their public and private keys. Bob encrypts his message to Alice with Alice’s public key. She decrypts that message with her private key. Her message to Bob is encrypted with Bob’s public key, decrypted by Bob with Bob’s private key.
Now anyone can encrypt messages to anyone if they have the other party’s public key. This requires public keys be available AND verifiable as that party’s actual public key. This is where digital certificates play a role.
 A certificate authority that both parties “trust” associates the party’s “IDentity” with their public key.

 Now there is a method that scales to the whole world. Problem is asymmetric encryption is slower that symmetric encryption. Thousands of times slower.
For most encrypted sessions, asymmetric encryption is used to setup a session, that session is used to exchange a symmetric key and the faster symmetric encryption handles the session for some amount of time.
 Digital certificates use a certificate authority (or a chain of certificate authorities) to verify the other parties public key actually belongs to the other party’s IDentity. These certificate authority chains are built into your browser.
 To do business with your bank you browse to the bank’s website. The browser uses its certificate authority chain to find and verify the bank’s certificate and loads the associated public key. That session provides a symmetric session key to encrypt the web traffic within that asymmetric session and your traffic is encrypted in transit.
 So when your browser indicates “There is a problem with this website’s security certificate” you should verify what and why before proceeding. Most browsers offer a button to provide a view of the digital certificate. This process is involved and not easy to grasp.

The point of this article is to use care when seeing this message.

Summary: Browser error messages similar to “There is a problem with this website’s security certificate” indicate something amiss in the setting up of that encrypted session. The site could be a site belonging to someone else in an attempt to steal your credentials and/or credit card.
Take the time and effort to check the site’s certificate. Use the browser’s Help function for more information.

No comments:

Post a Comment