Naked Science Forum
Non Life Sciences => Geek Speak => Topic started by: JimBob on 18/07/2015 02:32:21
-
What are they and what do they do? Can they be detrimental?
-
The only time my browser mentions security certificates (https://en.wikipedia.org/wiki/Public_key_certificate#Certificates_and_web_site_security) is when it encounters an invalid one : messages like ...
"There is a problem with this website's security certificate"
https://support.microsoft.com/en-us/kb/931850
If you get one of those messages then it is possible you are trying to visit a fake look-alike website (https://en.wikipedia.org/wiki/Typo_squatting) by mistake. If so check you are going to the actual official website address, rather than a look-alike URL (https://en.wikipedia.org/wiki/URL).
-
I would have thought all of you lot have used PGP key encryption for email digests in Linux!
However a "browser certificate" , i presume you mean "website certificate" issued by a registered CA(certificate authority) usually x.509 standard anything from 56 bit to 256 bit level.
The server-site outputs crypted pages when either SSL(secure socket layer) or https:// protocol is called by a request.
The public key of the server-sites public/private pair is used to crypt the page and is then offered to the user browser/device to be stored for the session to use for interaction on the site by the protocol(ssl or https) in use.
The private key "is stored in the server(hence private)" and used for data "received by the server" sent to the server to authenticate it came from the encrypted information sent - a sort of "hand shake" of authentication as it is referred to.
This is done by deciphering the user/browser sent information(using the private key) that was encrypted by the public key certificate sent originally to the requester to be able to decipher the public output page.
If the private key can perfectly decipher the information sent back by the browser then the "key - pair"(public private) match and means there was no spy interference!!!
(Simple quick version) So, the private key algorithm and math formula is completely different to the public key algorithm and math formula - BUT the outcome is identical !
There are such things as PA personal certificates that are for "signing" either special data or email certificates as in "PGP cryption and digest" in email messages.
Note: when a certificate is constructed , it is internalised with information for encryption with the name of the company that created the key pair and also most importantly with the name of the site or personal being whom it identifies! hence self signed certificates of no great authority carrying 256 bit clout (e.g. self signed and self constructed 256 bit certificate)!
Take a look at the PA information for verisign.com and browsers in this section.
Example tutorial:
http://windsolarhybridaustralia.x10.mx/mainindex.html#stephy
Main official world wide CA's are ...
Verisign and Thawte
https://www.thawte.com/
http://www.verisign.com/
Basic certificate terms and how they work
https://technet.microsoft.com/en-us/library/cc737264(v=ws.10).aspx
"certificate maker"
http://download.cnet.com/1772-20_4-0.html?query=certificate+maker&platform=Windows%2CMac%2CiOS%2CAndroid%2CWebware%2CMobile&searchtype=downloads
Many website plans that supply https or ssl/tls have a user control panel that can both create and install a public-private key pair(a certificate) whether for unofficial use or to be sent to a CA to be properly registered.
Here's an exarmple of such a service but more software oriented:
https://www.digicert.com/tomcat-ssl.htm
Note: While the above link is for PKI (Public Key Infra-structure) certificate key-stores protocols in general, it is for a Java server that has a similar bindable Java protocol key-store system which derives itself more from Java software and Java-Applet signing, the key-store is more bound to the copy of the JVM in the JRE or JDK/SDK. This system is part of PKI hierarchies protocol for digital certificates issued by an authorised CA.
Most unofficial created certificates are used in VPN's(vertual private networks) or more usually internally in intra-nets inside organisation and are not for the outside world to contact.
https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-using-java-keytool.html
=========
YOUR BROWSER will load a site if the digital certificate information is authenticated by a quick message to the issuer CA site and the CA site replies that the certificate is valid.
If not, the browser will show a list of warnings and options and sometimes tell what the problem is such as the certificate is out of date but otherwise the certificate is from whom it says because of the CA's CRL(Certificate Revocation List).
In final, a rejected certificate can be used to load a site, however it is considered a security risk.
It is also possible to either accept or "store" the certificate to be forwarded to it's CA issuer rather than be used and it is also usually possible to view the certificate public key internal registration information.
- Finally , browser configuration for security allows you to customize your choices as how to handle certificates , including adding personal certificates to use with VPN's or intra-nets but usually email digests are the most common personal certificate.