wiki:faq/security/what-is-an-ssl-certificate

What's an x509 (aka SSL) Certificate?

Security is a two-way street. When I go to a web site I have prove to the web site that it's really me before the web site gives me access to anything private or restricted (such as access to my email). The most common way that is done is via a login in which I provide a username and a password. Because I supply the correct password, the server knows it really is me, because I'm the only one who knows my password.

But how do I know that the server I'm going to really is the server I want to go to? Just because I type https://members.mayfirst.org into my browser, doesn't mean that the server really is the May First/People Link server that I think it is. Any number of things can happen via the Internet between my computer and the server I'm connecting to that might fool my computer into thinking I'm connecting to members.mayfirst.org when in fact I'm connecting to someone else's server specifically setup to look like the May First/People Link server. If that were to happen, I might type in my username and password on this stranger's server that is acting like members.mayfirst.org, essentially handing over my identity to a stranger.

The purpose of security certificates is to ensure that the site I'm connecting to really is members.mayfirst.org. We pay a third party vendor (in this case RapidSSL which resells Equifax certificates) to provide us with a certificate. We then install the certificate on our server. When your browser connects to us, your browser checks the certificate, which says: Equifax has ensured that this certificate was truly issues to the legitimate owners of the domain secure.mayfirst.org. If you trust Equifax (which most browsers are configured to trust by default), then you should trust this site and therefore your browser makes the connection.

Often times, your browser checks the certificate and reports a problem. Two of the most frequent problems are:

  • The certificate has expired. When Equifax issues a certificate, it comes with a time frame, usually a year. Once the year is up. the certificate will have "expired" requiring us to purchase a new one. If we don't purchase the new one before the old one expires, your browser may report this problem.
  • The domain you are connecting to does not match the domain on the certificate. Often we run many domains on the same server. For example, the secure.mayfirst.org runs on the same server as wiki.mayfirst.org (our internal wiki site). Our certificate is issued to secure.mayfirst.org. So, if I try to access https://wiki.mayfirst.org, my browser will report the discrepancy. As long as the domain on the certificate is one that I trust, I generally continue connecting to the site.
  • The certificate was issued by an authority that you are not configured to trust. Often times, rather than shelling out bucks to pay a corporation to prove that you are who you say you are, web site administrators will sign their own certificates. While your browser is probably configured by default to trust Equifax, it is not configured to trust everyone. In these situations, you should contact the administrator of the site and ask them how to configure your browser to trust their certificate authority. Alternately, you could ask your browser to accept the specific certificate offered for their site, thereby avoiding trusting another potentially untrustworthy certificate authority.

This is the way the system works now. To go deeper, you may be interested in an article published by Daniel Kahn Gillmor that offers some criticism about this model of security.

Last modified 7 years ago Last modified on Mar 1, 2013, 12:32:36 PM