Saturday, August 05, 2006

Garden Certificate Warnings

This discussion of Certificates started with "Garden Certificate Basics", which included background information about digital certificates as well as a sample of a "domain name mismatch". In that situation, it was apparent that a site was providing bogus information.

"Garden Certificate - Microsoft MVP Site" included an illustrated examination of digital certificate information provided to a reader of this blog. The certificate was received as a result of the MS MVP link in an earlier blog post here.

I was reminded today by a respected member of Freedomlist that there are circumstances where an unsigned certificate should not be accepted.
"Anyone can create a certificate that will show mvp.support.microsoft.com or anything they want in the cname and in the hierarchy. Checking those fields doesn't tell you anything particularly useful about the certificate or the website.

I'm afraid advice to accept the certificate is likely to give people the impression that the site is what it claims to be. That's fine for a site like mvp.support.microsoft.com where you just read their pages and don't send them any information, but people should absolutely never accept an unsigned certificate for a site that needs sensitive information like online-banking or shopping, because there is no way to know whether the webserver at the other end is really their bank or store, or if it is some random person spoofing the site and trying to get their data.

A simple summary:
A certificate signed by a certificate authority (verisign, for example) protects against eavesdropping and confirms the identity of the site.

An unsigned certificate (like the one at mvp.support.microsoft.com) protects against eavesdropping, but does NOT confirm the identity of the site."

Thank you, digger, for the explanation and excellent advice!

Additional reference information:

VeriSign Described
VeriSign.com
Digital Certificate Defined
Public Key Certificate

No comments: