Ask the Expert

Can a certificate authority be trusted?

How are we supposed to check a root certificate out of the hundreds of certs issued by companies we've never heard of? I found VeriSign's page of certificate fingerprints, plus root bundles for VeriSign and Thawte, but checking that those agree with a browser is not easy.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

This is one of the dirty little issues of Secure Sockets Layer (SSL) and its related certificates. SSL provides rock-solid encryption between a browser and a Web server. But if you can't verify the certificate, you might have a rock-solid encrypted connection to a bad guy pretending to be your bank. You can't really tell.

Your browser tries to verify the certificate automatically by relying on a group of trusted certificate authorities in its certificate store (To view them in IE, go to Tools; Internet Options; Content; Certificates; Trusted Root Certification Authorities.). Look in that list of "trusted" companies. Do you trust them? And, do you trust everyone that they've said you should trust? If not, you may want to pare down that list of companies.

If your browser does not trust a given certificate that is presented, it pops up a dialog box about the problem, asking the user if he or she wants to trust the given organization. If the user clicks OK, the default action for IE and Firefox is to trust the certificate for that one session. However, keep in mind that one session is all an attacker needs to undermine a user's account. And most users don't even read or understand the dialog box, so they blindly trust whatever certificate is presented to them.

But you, dear questioner, are obviously smarter than that, hence your question. So, what can you do if you receive a cert warning from your browser, and when you click to get more details, it reveals a company that you don't know? Well, as you point out, you can look at various certificate authorities' lists of trusted certificates, provided that you trust those CAs. Here's a look at Verisign's certs.

But, how do you know whether you should trust a given CA? The only way you can know for sure is to research the company behind the certificate. Google searches can get you started. Check out a CA's certification practice statement (for an example, look at the one from IdenTrust). If you feel like you want to trust the company, you can get its own certificate, which you can then import in your browser. You can download the root certificates from most CAs by doing a Google search for: site:[CA_Company].com root certificate download. But, make sure you get that certificate from a trusted, legitimate Web site.

As you can see, we have a chicken-and-the-egg problem here. How can you check if a site is legitimate so that you know to trust its certificate? Why, you'd check its certificate, wouldn't you? And therein lies the problem behind SSL.

So, while still trying to do business on the Internet, investigate those CAs that you can, and keep your trust down to a minimum.

More information:

  • Has your digital certificate gone bad? Make sure to keep track of your certificate's expiration date.
  • Learn when it's appropriate to design your own certificate authority.
  • This was first published in April 2007