Saturday, November 29, 2008

Website SSL Certificates

Understanding Web Site Certificates [1] has a nice succinct description of website certificates. In summary, a website certificate is used to identify a secure web site, in the sense that it is a trusted web site (e.g. not a phishing site), and data being transmitted and received to and from your browser is secure (e.g. encrypted using SSL). Trusting a certificate means you are trusting one authority from a list of certificate authorities known by your browser to have verified the web site you are visiting is legitimate and secure. Although rare, this process has been known to fail. Brian Krebs in The New Face of Phishing [2] described a sophisticated phishing scam that used a valid SSL certificate issued by a "trusted" authority. If you visit a website that has a certificate signed by an organization untrusted by your browser or the certificate contains an error (e.g. certificate has expired), the browser displays a dialog prompting you to decide if you want to accept the certificate [1]. Before accepting a certificate, ensure it
  • has a valid and trusted issuer, such as Verisign,
  • has not expired, and
  • has been assigned to the web site organization you are visiting.
If this dialog is not displayed, say because your browser accepts the certificate, you can still manually examine the certificate if you wish. Normally this can be done by clicking on some visual indicator on your browser while you are on the protected site. Don't just assume that because a website is protected by a certificate that site must be legitimate. Some phishing sites have used self-signed certificates to create the illusion of legitimacy [3]. It is the site authors hope the unwary visitor would be tricked into believing that because they have been given a certificate, the site is secure so they can safely submit their personal information. A web site who issues a certificate to itself should always be viewed with some suspicion [4]. Do you need SSL certificates for intranet (internal only) websites? If you are transmitting sensitive information between browsers and servers that some employees should not see (e.g. passwords), then yes. This assumes you believe your employees are malicious enough to start snooping for such confidential information. What about phishing? This may be less of an issue because the phisher would need to know the look and feel of your internal website in order to mimic it convincingly. But if such information can be obtained, then SSL certificates would be useful. References
[1] Mindi McDowell and Matt Lytle, National Cyber Alert System, Cyber Security Tip ST05-010, Understanding Web Site Certificates, Carnegie Mellon University, 2008 [2] Brian Krebs, The New Face of Phishing, The Washing Post, 13 Feb 2006 [3] Bill Brenner, Phishers' latest hook: SSL certificates, The New Sendmail, 27 Sep 2005 [4] Jack Schofield, Website certificates -- don't go there?, 2007