Hi, Certificates are not as intuitive as they should be. If you get a certificate warning from a web site, it doesn't mean it is an invalid certificate. I will attempt to simplify what is happening at the cost of some technical accuracy, but I think this will help you all understand what is going on.
The HTTPS is basically HTTP over what is called SSL/TLS. This tries to protect against two things: first, ensuring the site you are connecting to is in fact the site you expect and second providing a secure encrypted connection for data between you and the server. This oversimplification of how this works is by having a server you connect to send you a certificate. This certificate contains a lot of information. It contains information about the domain, the date the certificate was issued, how long the certificate is valid for, and most important, the public key for the server. It also includes information about who issued the certificate. Certificates are usually issued by a Certificate Authority or CA. A CA is a trusted company like Verisign and your web browser has a list of valid CA companies it recognizes. When you first connect to a server via HTTPS, your browser tries to validate the certificate with the CA. If your browser doesn't recognize your CA as a trusted one, it will warn you. It doesn't mean the CA is bad, or the certificate is bad, it means the browser doesn't know the validity of the CA. It is perfectly valid to generate your own certificate and public and private keys without using a CA. One would do this because one cares more about encryption than validating the site as the one your are trying to connect to. If you remotely connect to your Mac with ssh, you have sort of done this with your own self signed certificate. Now a bank wants a certificate that can validate who it is. They will pay a big deal of cash to have a CA issue them a certificate. The CA validates the request by looking up business address, calling the main phone number, and some other basic private investigation work. This prevents some hacker in eastern Europe from obtaining a valid certificate from a CA. This is good if you are a bank. The take away is that some certificates are more trusted than others. I want to trust my bank a whole lot more than online mom and pop shop. So, you need a certificate for HTTPS. Now, what errors can the browser give you and where are the holes. As I said, the first warning comes if the browser doesn't have the CA in it's trusted list of CAs. This varies from browser to browser. This is a warning because you might know more than the browser's developer. The second error is if the CA rejects the validity of the certificate, like the fingerprints don't match. Another error can be the certificate has expired. Apple actually made this mistake recently on the app store. Now, here is one huge hole in the process. Remember the heart bleed bug? Well, certificates also have a private key. This private key is the most important piece of secret data and is never given out publicly. The private key is needed to decrypt the data. If a bad guy gets the private key, this means that anyone could make a public key from the private and spoof a web site. So, Owners of a certificate can revoke a certificate if it thinks the private key has been compromised or for any other reason. No big deal right? Well, turns out it is. The mechanism for checking a revoked certificate is off by default in most all browsers. Google's chrome doesn't even really bother to check if a certificate has been revoked. Safari is not much better in checking. So until a certificate truly expires, a revoked certificate will often work without warning the user. More than you wanted to know, probably, but knowing why your browser warns about a certificate is important so you can judge the validity of the risk. In the case of NFB, I'd worry a little less, looks like the CA is not trusted by the browser. However, since you went to the site yourself, validating that nfb is nfb is a little less important. It's when you click on that link from your email to your bank that it becomes critical. So, what do I do as best practice? If I get a warning like that, I look to see who issued the certificate. If it is self signed, and I went to site, I don't worry about it at all if it's a small shop or non profit. Hope this helps a little and didn't confuse you all more. Again, some details were left out for simplicity sake in the hopes to make this a bit less daunting. Best, --k Faith doesn't give you the answers, it merely stops you from asking the questions. On Jul 4, 2014, at 9:20 AM, Littlefield, Tyler <[email protected]> wrote: > You really shouldn't ignore that. It means that the certificate is invalid. > If this is something on the NFB side, they should really really renew it. If > you're paying for anything with a credit card, the last thing you want is an > insecure connection. > > Sincerely, > the Constantly sock-footed me, Still a very happy windows, mac and IPhone > user! > Sent from my toaster (TM): the only toaster with full accessibility built in > without a vm! > > -- > You received this message because you are subscribed to the Google Groups > "MacVisionaries" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/macvisionaries. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
