Site and Server Certificates

Do you trust site and server certificates? Are you sure you know what to look for? On a very basic level, most sites will have proper signed server certificates and most people will trust the without question, however, you need to be aware of a few things. In the first instance, there are a few different forms of server certificates, but I will only discuss 2 types, namely self-signed and certification Authority signed.

Server certificates are not the bits that make sites secure or not. They are only signatures that inform you whether the site, you are presently visiting, is actually who they claim to be. These certificates are generated on the computer that they are going to be used on. They are created using various options, such as the encryption type and encryption strength that will be required for the safe transmission of your data. Other information includes expiration date and owner contact details. If this is all that is done then you have a self-signed certificate. For all intents and purposes this is all that is required, but this is where things can go wrong. Any person can create a certificate for any computer, and sites designed to grab your details frequently do create such certificates to falsely lead you into giving up your details. Self-signed certificates are absolutely no guarantee that the site is legitimate and safe.

For this to be true, the self-signed certificate needs to be submitted to a certification authority (CA) who will check the legitimacy of the claim that the certificate is making. Thus, CA's are points of trust who investigate the claim of the certificate. Once the claim has been verified it will be added to a list of trusted sites, and will remain valid to the duration of the certificate. You will thus have peace of mind that your details are being transmitted securely and to the intended destination. So how can you tell which certificates are valid? Thankfully, your browser usually has built-in a database of these trusted authorities, such as Thawte and Verisign to mention only 2, and regularly updates this database. Certificates that have been revoked are usually listed too. So more often than not you will not need to do anything, except regularly update your preferred browser. Websites that have not had their certificates verified will usually pop-up a window informing you that the certificate should not be trusted, but NEVER proceed or add an exception to the list in your browser for this certificate. Doing so will compromise virtually all your other certificates.

There is, obviously much more to certificates, but this should form a basis for further research. I have mainly discussed this subject from the site visitor perspective, but the perspective from the site publisher is quite a bit more intricate. Why not research "certificate chains".

Caution and common sense to all!