Trusting the Internet

In light of recent events (heartbleed and *cough* NSA *cough*), we now live in a world where the people you thought you could trust aren’t as trustworthy as we expect them to be.

One of the things that we lay our trust in every day are Certificate Authorities. These are the people with the power to issue SSL certificates, which are used when you use online banking, search google, access your email and other sensitive information over the internet. It can be identified with a either a padlock symbol, or simply ‘https’. You’ll notice that my blog is encrypted, and you can get details of this by clicking the padlock in the top right in Chrome and Firefox, or the padlock at the end of the address bar in internet explorer.

For this example I will use Firefox:

SSL Overview

You can see that the connection is secure. Wonderful!

What good is it however to have an encrypted connection, when it could be anyone in the world.
That’s where the trust part comes into it.

You can see that the certificate has been verified by GoDaddy.com, Inc. Clicking ‘More Information…’, ‘View Certificate’ and going to the ‘Details’ tab will take you to this screen:

SSL Overview

Here you can see the trust tree. This is the chain that lets firefox know that the certificate is one that it can trust.

Think of it this way, you’re having a party, and a guy enters. You don’t know him, and therefore don’t want him in your house, but he says he is friends with another guy, who you don’t know and ring up, but he says he’s friends with another guy, who you don’t know and ring up, who says he’s friends with one of your close friends, who confirms that he is indeed his friend, and he can vouch for his friend, his friend’s friends, and his friend’s friend’s friend who is at your front door.

From this you can trust all of his friends into your house. If one of them steals/breaks/otherwise vandalises your house, you can go back to your friend and either say ‘these guys did bad things to my house’, and he will revoke their friendship, or you can choose not to be friends with this guy who let idiots into your house anymore.

In this case, the guy at your door is ‘*.wordpress.com’, his unknown friends are ‘Go Daddy Secure Certificate Authority – G2’ and ‘Go Daddy Root Certificate Authority – G2’, and the friend you trust is ‘Go Daddy Class 2 CA’

This root level of trust is built into the web browser (or in the case of Internet Explorer, Windows itself), and you can choose to revoke or add authorities at your will, but be warned: revocation is a drastic measure which will limit access to a number of sites and compromise your security at the same time. If a website does something bad, the best course of action is to take it up with the certificate authority which issued that website’s certificate and let them revoke it. Details for this can usually be found under the page linked in the ‘Subject’ field

Subject field

Visiting the site will usually give details on what to do if you suspect a certificate has been compromised or if the legitimate owner is performing malicious activity with it

Next up will be how to run your own certificate authority!