So how do we add this to safaris list of trusted certificates? Sent from my iPhone
> On Jul 6, 2014, at 11:20 AM, Kayaker <sea...@me.com> wrote: > > Hi, > > Certificates are not as intuitive as they should be. If you get a certificate > warning from a web site, it doesn't mean it is an invalid certificate. I will > attempt to simplify what is happening at the cost of some technical accuracy, > but I think this will help you all understand what is going on. > > The HTTPS is basically HTTP over what is called SSL/TLS. This tries to > protect against two things: first, ensuring the site you are connecting to is > in fact the site you expect and second providing a secure encrypted > connection for data between you and the server. This oversimplification of > how this works is by having a server you connect to send you a certificate. > This certificate contains a lot of information. It contains information about > the domain, the date the certificate was issued, how long the certificate is > valid for, and most important, the public key for the server. It also > includes information about who issued the certificate. Certificates are > usually issued by a Certificate Authority or CA. A CA is a trusted company > like Verisign and your web browser has a list of valid CA companies it > recognizes. When you first connect to a server via HTTPS, your browser tries > to validate the certificate with the CA. If your browser doesn't recognize > your CA as a trusted one, it will warn you. It doesn't mean the CA is bad, or > the certificate is bad, it means the browser doesn't know the validity of the > CA. It is perfectly valid to generate your own certificate and public and > private keys without using a CA. One would do this because one cares more > about encryption than validating the site as the one your are trying to > connect to. If you remotely connect to your Mac with ssh, you have sort of > done this with your own self signed certificate. > > Now a bank wants a certificate that can validate who it is. They will pay a > big deal of cash to have a CA issue them a certificate. The CA validates the > request by looking up business address, calling the main phone number, and > some other basic private investigation work. This prevents some hacker in > eastern Europe from obtaining a valid certificate from a CA. This is good if > you are a bank. > > The take away is that some certificates are more trusted than others. I want > to trust my bank a whole lot more than online mom and pop shop. > > So, you need a certificate for HTTPS. Now, what errors can the browser give > you and where are the holes. As I said, the first warning comes if the > browser doesn't have the CA in it's trusted list of CAs. This varies from > browser to browser. This is a warning because you might know more than the > browser's developer. The second error is if the CA rejects the validity of > the certificate, like the fingerprints don't match. Another error can be the > certificate has expired. Apple actually made this mistake recently on the app > store. > > Now, here is one huge hole in the process. Remember the heart bleed bug? > Well, certificates also have a private key. This private key is the most > important piece of secret data and is never given out publicly. The private > key is needed to decrypt the data. If a bad guy gets the private key, this > means that anyone could make a public key from the private and spoof a web > site. So, Owners of a certificate can revoke a certificate if it thinks the > private key has been compromised or for any other reason. No big deal right? > Well, turns out it is. The mechanism for checking a revoked certificate is > off by default in most all browsers. Google's chrome doesn't even really > bother to check if a certificate has been revoked. Safari is not much better > in checking. So until a certificate truly expires, a revoked certificate will > often work without warning the user. > > More than you wanted to know, probably, but knowing why your browser warns > about a certificate is important so you can judge the validity of the risk. > In the case of NFB, I'd worry a little less, looks like the CA is not trusted > by the browser. However, since you went to the site yourself, validating that > nfb is nfb is a little less important. It's when you click on that link from > your email to your bank that it becomes critical. > > So, what do I do as best practice? If I get a warning like that, I look to > see who issued the certificate. If it is self signed, and I went to site, I > don't worry about it at all if it's a small shop or non profit. > > Hope this helps a little and didn't confuse you all more. Again, some > details were left out for simplicity sake in the hopes to make this a bit > less daunting. > > Best, > --k > Faith doesn't give you the answers, it merely stops you from asking the > questions. > > > > > > > > >> On Jul 4, 2014, at 9:20 AM, Littlefield, Tyler <ty...@tysdomain.com> wrote: >> >> You really shouldn't ignore that. It means that the certificate is invalid. >> If this is something on the NFB side, they should really really renew it. If >> you're paying for anything with a credit card, the last thing you want is an >> insecure connection. >> >> Sincerely, >> the Constantly sock-footed me, Still a very happy windows, mac and IPhone >> user! >> Sent from my toaster (TM): the only toaster with full accessibility built in >> without a vm! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "MacVisionaries" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to macvisionaries+unsubscr...@googlegroups.com. >> To post to this group, send email to macvisionaries@googlegroups.com. >> Visit this group at http://groups.google.com/group/macvisionaries. >> For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "MacVisionaries" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to macvisionaries+unsubscr...@googlegroups.com. > To post to this group, send email to macvisionaries@googlegroups.com. > Visit this group at http://groups.google.com/group/macvisionaries. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to macvisionaries+unsubscr...@googlegroups.com. To post to this group, send email to macvisionaries@googlegroups.com. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
