Your Ad Here

amazon

Monday, 6 April 2009

Site and Server Certificates

Do you trust site and server certificates? Are you sure you know what to look for? On a very basic level, most sites will have proper signed server certificates and most people will trust the without question, however, you need to be aware of a few things. In the first instance, there are a few different forms of server certificates, but I will only discuss 2 types, namely self-signed and certification Authority signed.

Server certificates are not the bits that make sites secure or not. They are only signatures that inform you whether the site, you are presently visiting, is actually who they claim to be. These certificates are generated on the computer that they are going to be used on. They are created using various options, such as the encryption type and encryption strength that will be required for the safe transmission of your data. Other information includes expiration date and owner contact details. If this is all that is done then you have a self-signed certificate. For all intents and purposes this is all that is required, but this is where things can go wrong. Any person can create a certificate for any computer, and sites designed to grab your details frequently do create such certificates to falsely lead you into giving up your details. Self-signed certificates are absolutely no guarantee that the site is legitimate and safe.

For this to be true, the self-signed certificate needs to be submitted to a certification authority (CA) who will check the legitimacy of the claim that the certificate is making. Thus, CA's are points of trust who investigate the claim of the certificate. Once the claim has been verified it will be added to a list of trusted sites, and will remain valid to the duration of the certificate. You will thus have peace of mind that your details are being transmitted securely and to the intended destination. So how can you tell which certificates are valid? Thankfully, your browser usually has built-in a database of these trusted authorities, such as Thawte and Verisign to mention only 2, and regularly updates this database. Certificates that have been revoked are usually listed too. So more often than not you will not need to do anything, except regularly update your preferred browser. Websites that have not had their certificates verified will usually pop-up a window informing you that the certificate should not be trusted, but NEVER proceed or add an exception to the list in your browser for this certificate. Doing so will compromise virtually all your other certificates.

There is, obviously much more to certificates, but this should form a basis for further research. I have mainly discussed this subject from the site visitor perspective, but the perspective from the site publisher is quite a bit more intricate. Why not research "certificate chains".

Caution and common sense to all!

Thursday, 2 April 2009

Beware the cookie monster

Tracking cookies are undesirable and should be avoided, but cookies that remember your login details are diabolical. Unfortunately, more and more websites are using cookies, or dare I say, demanding that you enable cookies, before you can do anything on the website. There are inherent dangers in doing this. Let me explain.

Cookies are designed to enhance your browsing experience. This is achieved by remembering what you looked at the last time you visited the website. It thus tries to gauge what you require and where you intend to browse to next. Hopefully, the dangers, or possibilities, are starting to spark off warning signals in your mind. It, therefore, builds up a profile of your activities. Some cookies are designed to remember your login details once you have visited a site, once again, to make your browsing experience more pleasurable. The obvious danger here is that anyone can log into your account if they have access to the computer on which you logged in on. If you use multiple computers or a publicly accessible computer, such as those found in libraries, then your login details will become compromised. It is as though you wrote those details on a piece of paper for everyone to see. I doubt that I have to elaborate anymore on this.

Some cookies report back to their authors the information they gathered. Although some authors are reputable and will only use some of the information to improve their sites, others may have more devious intent and use the data to capture as much information about you as possible. I shall illustrate using a simple example. Suppose you went to a site that demanded the installation of a cookie. This site may also contain some information you would be interested in and thus you decide to subscribe to this site. To do this you may have to enter your name and email address, and perhaps even a physical address and phone number. Already the amount of information submitted is quite astounding. The cookie grabs all the information and then starts tracking your movements. So after clicking the submit button, you go to your email account to check whether the subscription is successful. The cookie grabs your email URL, username and password. Voila! You afterwards proceed to Amazon.com or your banks website. Although both of these site have a secure login and te cookie may not be able to grab those details, it has tracked your visit to these sites, and consequently, you must have some association with this site.

In this instance, the amount of information is phenomenal, and the deviously minded will use this to create a new identity based on your own identity. And the rest is history, anxiety, tears, etc.

The final, and perhaps most malicious, cookie is the one that delivers a malicious payload. These are cookies found on bona fide looking websites that appear respectable, however, the will ask to enable cookies. Once this is done, a cookie is downloaded and installed, but this cookie contains script that downloads further into your system. From here it can observe all your activity and grab whatever details it likes. It too reports them back to the author. It can also propagate itself throughout a local network and thus infect other systems, and thereby compromise those users.

The point here is that threats do not always come into a system via email. Websites are equally dangerous. Try to stick to reputable websites, however, as this is not always possible, at least clear your cookies and restart the browser before going to another site.

Caution and common sense to all.