Certificates: Behind The Padlock

Everyone knows the padlock means a web site is more secure, but what does it mean? Digital certificates make it all happen, from SSL encryption on web sites to digital email signatures.

Obtaining your own has gotten much easier - and free! - with the help of a new certificate authority, CAcert.org.

Digital certificates are the online equivalent of driver's licenses. When you try to charge a $5,000 plasma television to your credit card, the clerk might ask for your driver's license to prevent fraud. They compare the name on the credit card to the name on the driver's license, look at you, and look at the state that issued the license. When you sign the receipt, the clerk should (but rarely does) check to make sure the signature on the ID matches the signature on the credit card and that both match the signature you just wrote.

To see the driver's license - or digital certificate - for a web site, double-click on the padlock in your web browser. The browser will show the organization the certificate was issued to and the name of the certificate organization that issued the certificate. That's like the person's name and the state name on a driver's license. If the web site doesn't have a padlock, that means they're not making any attempt to prove who they are. That's okay - most of the time we just surf innocent web sites. If someone tries to show me fake sports scores by setting up a fake ESPN.com , my life will go on.

Looking at the organization name on a certificate is like looking at the person's name on a driver's license. When you're entering your credit card information, you want to make sure it's going to the right people. Crooks routinely set up sites that look like your bank's, or a popular e-commerce site like Paypal, but the web site address is slightly different. For example, the bad guys might call the site paypal.transactions.com , or paypal48.com , and trick users into entering their username and password - then empty out their account. The clerk checking your driver's license looks at your picture and looks at the picture on the ID to verify that yes, you're the same person.

Looking at the certificate authority is like looking at the state that issued the driver's license. Back at our plasma TV example, if the license said, "Issued by the Country of Moldova", the clerk might get a little suspicious, because they haven't seen one of those licenses before. They might not even trust it, and they may ask for another form of identification. Digital certificates, on the other hand, are not issued by states, but by private companies. Crooks can even set up their own self-signed certificates that are meaningless.

Thankfully, you don't have to sort out all this every time you see a padlock! Your computer automatically checks all of this every time, and it will pop up a warning when something doesn't match up. When your web browser pops up a certificate warning, it's usually either because the organization doesn't match the web site you're surfing, when the certificate authority isn't in the computer's list of trusted authorities, or the certificate date has expired.

So what does it take to get a certificate? Just like getting a driver's license, there are two parts: proving your identity, and finding an authority who will give it to you.

First, proving who you are. Different certificate authorities have different ways of verifying the organization that's asking for the certificate. Getting a certificate often involves sending in basic financial documentation to prove that you do indeed own the organization name as displayed in the certificate. Certificate authorities go through the motions of checking this data before granting the certificate, and charge a hefty fee in connection with this service.

Enter CAcert.org , a community-based certificate authority with a different approach: for personal certificates, CAcert users check each other's identifications. When someone in Houston wants to get a certificate, they find another Houstonian who already has a CAcert certificate, and arrange to meet in person. The applicant presents valid identification (driver's license, passport, etc) and then the current CAcert holder notifies CAcert.org that the user is legit.

CAcert.org also has a free automated system for webmasters to obtain SSL certificates within minutes. Simply apply online, and CAcert sends an email to an email account at your organization to verify that you have control over the domain. It's quick and painless.

Unfortunately, CAcert isn't recognized yet as one of the "common" certificate authorities. When people go to a web site with a CAcert certificate, like https://brentozar.com , they will see a certificate warning saying that the certificate authority is not yet trusted. Why? Because the certificate industry is currently dominated by huge corporations like Verisign that lobby heavily to keep community organizations out. CAcert is building momentum, though, and it looks like CAcert's root certificate will be installed with the next version of Mozilla, a popular open-source web browser. In the meantime, you can install CAcert's root certificate in your web browser by going to www.CAcert.org and clicking Root Certificate.

Once you have a personal digital certificate, you can use it much like you would a driver's license. You can flash it for beer. Okay, maybe not, but you can set up your email program to automatically append your digital signature to the end of your emails. On the receiving end, when someone receives your email, they will see a message stating that yes, it is indeed you, and not a virus. This is increasingly important in these days of spoofed emails, viruses with attachments, and spam. A digitally certified signature means your clients can open your attachments with confidence - assuming, of course, you're running an antivirus program. (You ARE running an antivirus program, right?)

Instructions on how to install digital certificates in web servers and email clients are available on CAcert.org , along with instructions on how to get your free digital certificate. I have a CAcert digital certificate, and I can verify your identity if you'd like to get your own. After you apply on CAcert.org , drop me an email and I can meet up with you at HAL-PC or at an upcoming SIG.

Brent Ozar is a web developer and network admin. The only reason he doesn't wear a tin foil hat is because it interferes with his hair gel. He can be contacted at brento@brentozar.com .