By Woody Leonhard/Windows Secrets Newsletter
Two brazen Web-server break-ins this year call into question one of the Internet’s fundamental security mechanisms — website security certificates.
Because the most recent breach affected only PC users in Iran, most of us assume we’re immune. But we’re not; here’s why — and what we can do to protect ourselves.
In her Sept. 8 Top Story, Susan Bradley talked about compromised SSL security certificates from DigiNotar, a certificate authority (definition). Somebody had broken into DigiNotar’s certificate-issuing computers — all of them — and made a bunch of fake certificates for such sites as *.google.com, *.microsoft.com, and windowsupdate.com. In her article, Susan gave instructions for manually removing potentially compromised certificates from your system. Microsoft, thankfully, has recently automated this process through MS Support article 2607712.
The mainstream press has gone gaga over the story and has produced a blizzard of ill-informed and misleading reports. If you can join the words hacker, Iran, and browser with a few technical-sounding nonsense words and then speculate wildly, you, too, could be writing copy for one of the major news outlets.
Below, I explain exactly how security certificates work, and I describe the perversity of the certificate-issuing process: how we got into this fine mess and what we can do to stay out of it in the future.
Just what exactly is a security certificate?
No doubt you’ve used https secure sites for years. You know to look for the “s” in https before typing any sensitive information into your PC, and you know that your browser (depending on brand and version) displays a padlock icon or some equivalent symbol when it’s safe to type passwords, account numbers, e-mail messages, and similar personal information. If you don’t see a lock, or the lock is crossed out as in Figure 1, anything you type can be viewed by anyone casually snooping on your Internet connection.
Figure 1. An indication from Chrome that the site you’re visiting doesn’t have a valid certificate.
When you type https into a browser’s address bar, your browser must validate the site’s Secure Sockets Layer (SSL) certificate (or cert). If the browser believes it’s good, the lock shows up on your browser’s address bar and you have a secure connection.
Or do you?
This post is excerpted with permission from Windows Secrets.