INFORMATION ON AUTHORITY CERTIFICATES
Today is a date to be concerned about your online security
"Authority Certificate" What is it & How is it Used?
You may have visited a website and did not see a padlock in your browser address bar window, or when visiting a website there may have been a notice there is an error with the name or date on the secure certificate. Understanding what these certificates are impacts your online privacy.
What is an Authority Certificate?
If an organization wants to have a secure site and use encryption, it needs to obtain a certificate. There are 2 elements indicating a site uses encryption. Protecting Your Privacy begins with your internet browser and is often located in browser's status bar in the browser window between the address and search fields
By making sure a website encrypts your info and has a valid certificate, you can protect yourself against attackers and scammers who create malicious sites to gather your information. You want to make sure you know where your information is going before you submit anything, helping to avoid phishing-attacks.
If a web-site has a valid authority certificate it means a certificate authority has taken steps to verify the web-address URL actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate status for the following characteristics:
- the web site address matches the address on the certificate
- the certificate is signed by a certificate authority your web-browser recognizes as a "trusted" authority
If the browser senses a problem, it can present you with a dialog box stating there is an error with the web-site certificate. This may happen if the name the certificate is registered to does not match the site name, if you have chosen not to trust the company who issued the certificate, or if the authority-certificate has expired.
You will usually be presented with the option to examine the authority-certificate, after which you can accept the certificate forever, accept it only for that particular visit, or choose not to accept by declining it.
Can you trust an Authority Certificate?
The level of trust you put in a certificate authority is related to the degree of trust in he webfirm and its certificate authority. If the web-address matches the address on the authority-certificate, the certificate is signed by a trusted certificate authority, and the date is valid, you can be more confident the site you are visiting is truly the site you are on. However, unless you personally verify a certificate's unique identity by calling the organization directly, there is no way to be 100% positive.
When you trust a certificate, you are in-effect trusting the authority-certificate to verify the webfirms validity and identity. However, it's important to realize that certificate authorities vary in how strict they are about validating all of the info in the requests and about making sure their data is secure. By default, your browser contains a list of over 100 trusted certificate authorities firms. That means by extension, you are trusting all of those certificate authorities to properly verify and validate the information. Before submitting any personal details, if in doubt you can always look at the certificate.
How do you check a certificate?
There are 2 ways to verify a web site's certificate in some browsers. One way is to click on the padlock icon. However, your browser settings may not be configured to display the status bar that contains the icon. Also, online attackers may be able to create malicious sites to fake a padlock icon and display a false dialog window if you click its icon. A more secure way to find information about the certificate is to look for the certificate feature in the menu options. This may be under the file properties or the security option within the page info. You will get a dialog box with information about the certificate, including the following:
- who issued the certificate - You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign or Entrust). Some organizations also have their own authority certificates to issue certificates to internal sites like intranets.
- who the certificate is issued to - The certificate should be issued to the webfirm who owns the site. Do not trust a certificate if the name on the certificate doesn't match name of the webfirm, or the name you expected.
- expiration date - Most certificates are issued for 1 or 2 years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all organizations who hold its certificates may be as long as 10-years. Be cautious on sites with certificates valid for more than 2-years. Be on-guard for webfirms with expired authority certificates, a big red-flag.