Continue Reading This Article
Enjoy this article as well as all of our content, including E-Guides, news, tips and more.
Your browser tries to verify the certificate automatically by relying on a group of trusted certificate authorities in its certificate store (To view them in IE, go to Tools; Internet Options; Content; Certificates; Trusted Root Certification Authorities.). Look in that list of "trusted" companies. Do you trust them? And, do you trust everyone that they've said you should trust? If not, you may want to pare down that list of companies.
If your browser does not trust a given certificate that is presented, it pops up a dialog box about the problem, asking the user if he or she wants to trust the given organization. If the user clicks OK, the default action for IE and Firefox is to trust the certificate for that one session. However, keep in mind that one session is all an attacker needs to undermine a user's account. And most users don't even read or understand the dialog box, so they blindly trust whatever certificate is presented to them.
But you, dear questioner, are obviously smarter than that, hence your question. So, what can you do if you receive a cert warning from your browser, and when you click to get more details, it reveals a company that you don't know? Well, as you point out, you can look at various certificate authorities' lists of trusted certificates, provided that you trust those CAs. Here's a look at Verisign's certs.
But, how do you know whether you should trust a given CA? The only way you can know for sure is to research the company behind the certificate. Google searches can get you started. Check out a CA's certification practice statement (for an example, look at the one from IdenTrust). If you feel like you want to trust the company, you can get its own certificate, which you can then import in your browser. You can download the root certificates from most CAs by doing a Google search for: site:[CA_Company].com root certificate download. But, make sure you get that certificate from a trusted, legitimate Web site.
As you can see, we have a chicken-and-the-egg problem here. How can you check if a site is legitimate so that you know to trust its certificate? Why, you'd check its certificate, wouldn't you? And therein lies the problem behind SSL.
So, while still trying to do business on the Internet, investigate those CAs that you can, and keep your trust down to a minimum.
This was first published in April 2007