Forum Moderators: buckworks
I have a client for whom I developed and maintain a corporate website. One of their departments also has a website which I have nothing to do with (the situation is somewhat of a mess, but I am living with it for the moment).
This department has recently started processing online registrations (including credit card payments) over their website.
I recently noticed that there is a problem with their security certificate, and I want to be able to speak intelligently with my corporate contact at the client to let him know why this is a problem. But I am not an authority on ecommerce, although I have implemented a couple of shopping carts and have certainly dealt with the general purchase and renewal processes for security certificates, etc. But I don't know enough to speak intelligently regarding the exact nature of the problem.
Here's the basic problem. When you go to this department's website, it actually automatically forwards you into the secure area of the site (a problem in itself, but not what I want to address with my contact). When you enter the secure area of the site, you get a popup message saying that the certificate is from an untrusted authority. The popup also says that the name on the certificate is invalid or does not match the name of the site.
When I view the certificate, here's what I see:
1) On the general tab, it says the certificate is issued to and by "localhost.localdomain"
2) On the details tab, it says the issuer of the certificate is:
"E = root@localhost.localdomain
CN = localhost.localdomain
OU = SomeOrganizationalUnit
O = SomeOrganization
L = SomeCity
S = SomeState
C = --"
3) On the certification path tab, it has localhost.localdomain and for the status, it reads, "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."
In an email to their contact list, this particular department, when describing how to register online for a conference, described the popup message as a prompt "to allow your browser to switch into secure mode or Certificate Validation."
My instinct tells me that this is not what is really happening. I guess it could be said that the user is being asked to validate the certificate (by installing the certificate), but doesn't that circumvent the entire reason for a security certificate?
Any help anyone could offer to help me have a better understanding would be greatly appreciated!
Frank Johnson
This doesn't necessarily make the site insecure.
However, customer perception is important, and I've found it better to use a cert from Verisign, Thawte, or Komodo because most major browsers won't pop up any warning when entering the secure server.
Jon.
Okay, I was pretty sure I understood the part about the site still being secure (the url is an https url and the secure lock symbol shows - would one or both of those facts mean that the site is secure, or is there more to it?).
From a usability standpoint, though, it sounds then like they have chosen to forego the $249 investment for a Verisign-signed certificate (or less for a Thawte or other authority) and rely on their users to trust them (most of their registrations will be from people who probably trust them, but it still doesn't sit well with me).
Is my understanding correct?
Thanks,
Frank
You are correct. The site is still secure, just not guaranteed to be "trusted" by VeriSign, Thawte, etc. Customer perception is everything, so I'd try to convince them to shell out the $50 to get a signed cert from Komodo (or $200 from Thawte).
CAs get round this since you trust the CA, and the CA vouches that the certificate belongs to who it claims to.
Imagine an attacker between the customer and the website. The attacker can intercept the connection and feed the browser a fake self-signed certificate. The browser accepts the certificate and holds a long, secure conversation. With the attacker. The attacker can then proxy all the requests and responses to and from the genuine website and no-one notices anything is wrong. It's the typical man-in-the-middle attack.
Using CA signed certificates, the fake certificate would never be accepted. It would throw a warning about being self-signed. Indeed, the same warning you're seeing.
Jon.
Frank
