Cyber Security Tip ST05-010
Understanding Web Site Certificates
Author: Mindi McDowell, Matt Lytle
Produced 2005 by US-CERT, a government organization
You may have been exposed to web site, or host, certificates if you have ever clicked on the padlock in your browser or, when visiting a web site, have been presented with a dialog box claiming that there is an error with the name or date on the certificate. Understanding what these certificates are may help you protect your privacy.
What are web site certificates?
If an organization wants to have a secure web site that uses encryption, it needs to obtain a site, or host certificate. Some steps you can take to help determine if a site uses encryption are to look for a closed padlock in the status bar at the bottom of your browser window and to look for "https:" rather than "http:" in the address line (URL) [see Protecting Your Privacy for more information]. By making sure a web site encrypts your information and has a valid certificate, you can help protect yourself against attackers who create malicious sites to gather your information. You want to make sure you know where your information is going before you submit anything (see Avoiding Social Engineering and Phishing Attacks for more information).
If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate for the following characteristics:
- The web site address matches the address on the certificate
- The certificate is signed by a certificate authority that the browser recognizes as a "trusted" authority
Can you trust a certificate?
The level of trust you put in a certificate is connected to how much you trust the organization and the certificate authority. If the web address matches the address on the certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident that the site you want to visit is actually the site that you are visiting. However, unless you personally verify that certificate's unique fingerprint by calling the organization directly, there is no way to be absolutely sure.
By trusting a certificate, you have trusted the certificate authority to perform this verification for you. However, it is important to realize that certificate authorities vary in how strict they are about validating all of the information in the requests and about making sure that their data is secure. By default, your browser contains a list of more than 100 trusted certificate authorities. That means that, by extension, you are trusting all of those certificate authorities to properly verify and validate the information. Before submitting any personal information, you may want to look at the certificate.
How do you check a certificate?
There are two ways to verify a web site's certificate in Internet Explorer or Mozilla. One option is to click on the padlock in the status bar of your browser window. However, your browser may not display the status bar by default. Also, attackers may be able to create malicious web sites that fake a padlock icon and display a false dialog window if you click that icon. A more secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information. You will get a dialog box with information about the certificate, including the following:
- Who issued the certificate - You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, Thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.
- Who the certificate is issued to - The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
- Expiration date - Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.