As I surf the Internet I get a lot of “Security Alert” warning boxes. Usually it’s because the certificate is out of date but sometimes it’s because I’ve not chosen to trust the issuer. I don’t recall trusting any of 'em!
What’s the deal with these things?
A security certificate is basically a public-key encryption key pair. The server sends you the public key and your browser uses it to encrypt a session key it sends back. Then the server decrypts the session key with the other half of the key pair. After that, the server and browser can encrypt their traffic with a symmetric algorithm using the session key as a password.
You can set up a secure server with any old key pair, even one you generate yourself. However, most secure servers choose to get their keys from a certificate authority who signs the public key and essentially vouches that the owner of that key is who he says he is. If I want a certificate for a certain domain name, I have to prove I am the owner of that domain and some other things. This prevents me from getting a key that identifies me as Amazon or some other commerce site which I could use to defraud people.
There are a number of certificate authorities who issue these keys. Your browser is set up so it recognizes certain certificate authorities as trustable. There should be a way in your browser to add new CAs to the list of those that are trusted or to remove one from that list. You probably never did that so you never explicitly chose to trust any of them, but whoever wrote your browser decided which ones to trust. Many of the security alerts you get may be because the sites are using a newer CA which isn’t on your list.
Certificates also come with an expiration date. This is mostly a revenue generator for the CAs because they want us to come back every year and renew. It’s also an implicit way to revoke old keys (or at least mark them less trusted).
There are a dozen web sites that I purchase things from, and, a few weeks ago, my browser refused to recognize any of them in order for me to have a secure connection. Bottom line, after driving myself crazy, I had to download a new browser.
I’m using IE 6.0. On the Tools/Internet Options…/Content tab there is a “Clear SSL State” button, a “Certificates…” button and a “Publishers…” button. It’s all gibberish to me. Whenever I get one of those “Security Alert” boxes it always asks if I want to Continue, Stop or View (and install) the certificate. I can’t see where it makes any difference whether I continue or stop. Even installing the certificate doesn’t seem always to make the Security Alert go away on subsequent visits.
Do I really need to worry about certificates? If so, why, and if not how can I turn the damn things off?
I usually check certificates if they cause a popup. In a lot of cases, the warning might be because there’s a minor inconsistency in the certificate that violates the rules but is basically harmless. This might be something like a certificate issued to bigbiz.com but they put their checkout on secure.bigbiz.com. The browser is warning you that the certificate doesn’t match the URL, but in this case it’s a harmless error. On the other hand, if you’re at bigbiz.com and the certificate was issued to “PhishingTools.com”, you might worry. If the popup warning indicates the certificate is expired, you can check the domains names and continue without worrying too much.
If the popup says it doesn’t recognize the certificate authority or the certificate isn’t signed by an authority, this might indicate a bigger problem. Do you really know the site you’re dealing with? If so, continue. If not, this error might give you pause. How exactly you handle these errors depends on how free you are with your personal details in general. If you hand your credit card to a waiter you’ve never met in a restaurant you’ve never visited before, you might as well give it to a website with a self-signed certificate. If you never give your credit card to anyone who hasn’t authenticated exactly who they are and why they need it, then you should require their website to have a pristine cert.
You can’t turn off the use of certificates if you want to use secure sites, but you may be able to turn off warnings. I don’t use IE so I can’t help you with how to do that or with the details of how to import certs or set up CAs as trusted. Not to be snide, but I’d suggest that if you still use IE, you can’t be that concerned about privacy or security so you can just ignore any warnings that website certificates aren’t completely kosher.