Are you Using or Abusing Digital Certificates?

Monday, June 28, 2010

Ron Lepofsky

5a432ca05467666d90425b7b869c5003

Digital certificates were originally designed to help authenticate, provide non repudiation, and to sometimes ensure integrity and confidentiality for written communication.  They of course became the rage for securing Internet based transactions.

Today some people take for granted that digital certificates are intrinsic to any web based transaction and that the transactions are therefore safe.  But are the transactions safe?  By the way I stand corrected – I just did a quick pole of 10 people who regularly do e-transactions on the Internet and one of the ten even knew the existence of digital certificates.

Here is what digital certificates are and how they work.  Digital certificates are electronic documents, much like an electronic version of a passport.  In fact they contain very similar boiler plate information about both the owner and the issuer of the certificate.  The issuer is hopefully a certificate authority, analogous to an issuing Country of a passport, which is widely recognized and in whom everybody else has complete confidence.

The digital certificate also contains a secret known, again hopefully, only to the certificate owner and to the issuer.  The secret is called a private password.  The certificate authority also publishes a public key or password for every certificate holder.  Both the public and private keys used only together can unlock the secrets otherwise encrypted by one of the keys.

For example, if Bob wants to send a confidential email to Sally, then Bob would encrypt the email with Bob’s private key and then again with Sally’s public key.  Sally would decrypt Bob’s email with Bob’s public key and with her secret private key.  Bob’s public key will only decrypt emails from Bob, and Sally’s private key will only decrypt emails encrypted with her public key.   So confidentiality and fairly strong authentication of sender is provided.

Another example.  If Bob wanted to send an open email to many people, but needed everybody to be sure that Bob was the sender, Bob would encrypt with his private key and anybody receiving the email would decrypt and read it with Bob’s public key.  Bob must have been the sender, so authentication of sender is provided to some degree. 

Online vendors use digital certificates in combination with the SSL protocol for their encryption algorithm, in order to protect the validity, integrity, and confidentiality of each transaction.  Any visitor to a validly secured online e-transaction site should be able to view the associated digital certificate including details of the hashing algorithm used to protect their transaction.  In this case, the validation only goes in one direction; only the transaction site is identifying itself conclusively to any visitor.

Yikes!  SSL Meltdowns

We’ve probably all read about a recent SSL certificate validation problem stemming from a hashing algorithm.  This is not the first problem with  SSL.  There was a doozey in 2009.  And in 2008.  And so on.  Each time there is a problem, someone finds a resolution, such as changing a hashing algorithm.

Whether industry uses SSL or TLS there will undoubtedly be developing security vulnerabilities and remediation for them.

The big issue is how to take reasonable precautions to protect ones-self from SSL meltdowns.  Here is a simple precautionary SSL check-list.

·         Do verify the URL you are visiting is what you expected and not a similar URL with slashes and asterisks where they don’t belong.

·         If in doubt phone the vendor’s or site.

·         Do take the time to verify the digital certificate  on a web site.

·         If in doubt, research the certificate  authority.

·         Remember that not all portions of a web site are secured with SSL.  Users can stray to an unprotected area of a site.

Have a secure week.

Possibly Related Articles:
2984
General Vulnerabilities
SSL Digital Certificates TLS
Post Rating I Like this!
4a532060a80aefd2e170bbd5d05bae6f
Malieh Mansouri I knew the infosecisland.com supports by GoDaddy.com, Inc.
BUT
when I login in this site, and then see UN & PW on "view saved password" I can see my plain-text password and also the SessionID has not been encrypted.
WHY?
1277893603
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Malieh,

Next to the View Saved Passwords screen in Firefox, does it say "Yes" or "No" to Have I saved any passwords for this site?

If it says Yes (which I'm sure it does) it is because you opted to save the password locally in Firefox the first time you logged in.
1277901548
4a532060a80aefd2e170bbd5d05bae6f
Malieh Mansouri Thanks alot Michael.

I have 2 questions?

1- How can I Stop this event?
2- Why Session ID is not encrypted? It is displayed plain-text in View Cookies?!
1277902634
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Malieh,

To stop the auto-password saving in Firefox, click on Tools, Options, Security, and uncheck the box for 'Remember passwords for sites'.

Re: the session question. I will send you a direct message, as this is not related to this particular article
1277909436
4a532060a80aefd2e170bbd5d05bae6f
Malieh Mansouri OK;Thanks.

I am awaiting for Session ID encrypting issue. Especialy for https://www.infosecisland.com WebSite, by using of SSL Certifications, such as GoDaddy.com, Inc.that displayed the form of Clear-text in View Cooki!

Best Regards,
M.Mansouri
1277923465
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.