Security Certificates: Difference between revisions

From help.computerisms.ca
Jump to navigation Jump to search
Line 35: Line 35:
***it is better to have a certificate and provide education regarding the warning than it is to have no certificate at all
***it is better to have a certificate and provide education regarding the warning than it is to have no certificate at all
*While Security Certificates are an open standard, implementation varies quite a bit depending on the browser and platform it runs on
*While Security Certificates are an open standard, implementation varies quite a bit depending on the browser and platform it runs on
**If you use Internet Explorer, you can [[#Internet Explorer - Importing Certificate Authority|import the CA]] to establish trust and [[#Internet Explorer - disable Name Matching|disable Name Matching]]
**If you use Internet Explorer, you can [[#Internet Explorer - Importing Certificate Authority|import the CA]] to establish trust
***Under some circumstances you may want to temporarily [[#Internet Explorer - disable Name Matching|disable Name Matching]]
***While [[#Internet Explorer - disable Name Matching|disabling Name Matching]] might seem a convenient thing, keep in mind that this disables the security warning, meaning you won't get a warning when you do connect to a "real" disreputable site
***While [[#Internet Explorer - disable Name Matching|disabling Name Matching]] might seem a convenient thing, keep in mind that this disables the security warning, meaning you won't get a warning when you do connect to a "real" disreputable site
***Disabling Name Matching should be unnecessary, and will only be required as the result of a typo or similar error.  Please contact [mailto:bob@computerisms.ca|Computerisms] if you find this is necessary
**Firefox is probably the easiest browser to deal with, Just add a [[#Firefox|Security Certificate Exception]] for any site or Computerisms Service that gives you the error
**Firefox is probably the easiest browser to deal with, Just add a [[#Firefox|Security Certificate Exception]] for any site or Computerisms Service that gives you the error
**For Google Chrome, importing the CA through internet explorer will fix the problem


==Internet Explorer - Importing Certificate Authority==
==Internet Explorer - Importing Certificate Authority==

Revision as of 16:40, 3 August 2012

What are Security Certificates and what are they used for?

  • Security Certificates are a method of establishing trust and encrypting communication between different entities on a network
    • An entity can be a person or a computer
    • Certificates are issued to each entity, much like an identification card might be issued to each member of an organization
    • Each Certificate must be signed by a Certificate Authority, often referred to as the CA
      • Every certificate signed by the CA will trust every other certificate that is also signed by the same CA
    • When two certificates trust each other, they can be used to encrypt a connection
      • This is especially important when transmitting a username and password across the internet
  • Every password protected service provided by Computerisms will use Security Certificates to encrypt network connections
  • Sites you visit that have https:// in the address bar are encrypted by a certificate

So why do I get a Security Certificate Warning?

  • Certificate warnings can be caused by several factors, but the most important thing to know is that just because you see a warning does not mean the connection is not encrypted
  • One possible reason for the Certificate Warning is that your computer does not know the origin of the certificate on the server
    • When you go to an https enable site that does not show the warning, it is because a purchased certificate on the server and a certificate on your computer have been signed by the same CA
    • When one generates his own Certificates instead of purchasing them, as Computerisms does, they are considered Self-Signed.
    • Since Computerisms uses self-signed certificates and doesn't pay the fees to have its certificates signed by the same CA used by your computer, your computer will not trust the server's certificate
      • A person with the right knowledge can set up a system that is just as secure at a fraction of a fraction (yes, a fraction of a fraction) of the cost of purchasing certificates
      • Using paid Certificates on a Hosting Server that is hosting many domains is prohibitively expensive
    • Since your computer cannot verify the origin of the certificate on the server, it cannot establish a trust relationship with the server
      • The warning will inform you that the certificate on the server cannot be trusted because its origins cannot be confirmed
      • Since you know the origins of the certificate (It comes from Computerisms), you can override your computer's paranoia
    • By temporarily overriding the warning, you instruct your computer to trust the certificate on the server
    • Once the trust is established, then the certificates can be used to encrypt the communication so your password is not transmitted in clear text
  • Another reason a security certificate warning might pop up is a mismatched address
    • Computerisms Webmail is one site that answers to many names, such as https://webmail.domain.tld
    • If you arrive at the site by a name that is different than the one on the certificate, your computer will warn you that the address in your address bar is not the same as the address on the certificate.
  • Remember, regardless of the warning, when you instruct your computer to trust the certificate, encryption will still happen. So long as you know the certificate, even if your computer doesn't, you will be sending your passwords over the internet encrypted, so people can't see it. You should not send a password on an unencrypted connection.

Okay, Now I know why, but what do I do about it?

  • If one extra click every time you use a Computerisms Service does not seem unreasonable, then one viable option is to do nothing
  • In some cases, the problem can be solved on the server.
    • If for example you wish to run an online store, you will need to purchase your own certificate
    • In the case of providing encrypted services in a hosting environment, purchasing certificates is very cost prohibitive
      • it is better to have a certificate and provide education regarding the warning than it is to have no certificate at all
  • While Security Certificates are an open standard, implementation varies quite a bit depending on the browser and platform it runs on
    • If you use Internet Explorer, you can import the CA to establish trust
      • Under some circumstances you may want to temporarily disable Name Matching
      • While disabling Name Matching might seem a convenient thing, keep in mind that this disables the security warning, meaning you won't get a warning when you do connect to a "real" disreputable site
      • Disabling Name Matching should be unnecessary, and will only be required as the result of a typo or similar error. Please contact [1] if you find this is necessary
    • Firefox is probably the easiest browser to deal with, Just add a Security Certificate Exception for any site or Computerisms Service that gives you the error
    • For Google Chrome, importing the CA through internet explorer will fix the problem

Internet Explorer - Importing Certificate Authority

  • What this will do:
    • This will build a trust relationship between the certificates on the server and the certificates on your computer
    • This will make it so that any Computerisms Service whose address is the same as that on the certificate will not prompt a warning
      • This will apply to most, but not all services
  • What this will NOT do:
    • This will not get rid of the warning when you connect to a Computerisms Service using a different name than is on the certificate
      • This will mostly be with webmail, where one site shares several names
    • To get rid of the warning in the case of an address mismatch, you will need to disabling Name Matching
      • While disabling Name Matching might seem a convenient thing, keep in mind that this disables the security warning, meaning you won't get a warning when you do connect to a disreputable site
  • The easiest way to install a certificate is using Internet Explorer
  • Open your start menu and choose "All Programs"
  • In the list, right click Internet Explorer
  • In the menu, choose "Run as Administrator"
  • If you are presented with a window confirming the program should be allowed to make changes to your computer, select Yes
  • Navigate to https://rc.domain.tld or any other encrypted Computerisms service
  • Select "Continue to this website (not recommended)
    • For the record, it is recommended...
  • In the next window, you will notice the address bar goes red.
  • Click in the address bar where the X is displayed as a certificate warning
  • In the small window that opens up, click the link at the bottom called "View certificates"
  • In the next window, find the tab called "Certification Path" and click it
  • Click on the line that says Computerisms Certificate Authority
  • Then click the "View Certificate" Buttonhelp.
  • In the next window, click the button called "Install Certificate"
    • Note: if you did not run Internet Explorer as Administrator, this button will not show up
  • The next window will be the start of the Certificate Import Wizard
  • Click Next
  • Move the Radio button to be beside "Place all Certificates in the following store"
  • Click the browse button to open the navigation window
  • In the navigation window, select "Trusted Root Certification Authorities"
  • Click OK, then click Next
  • Click the Finish button
  • Another warning window will pop up, click Yes in the bottom right corner
  • A window will pop up confirming the import was successful, click OK on that window
  • Click OK on the Computerisms Certificate Authority Certificate Window
  • Click OK on the first Certificate Window

Internet Explorer - disable Name Matching

  • NOTE: Do not do this unless you fully understand the implications of doing so. While this may seem convenient, it also comes with its own dangers. You have been warned!
  • What this will do:
    • This will remove the Security Certificate warning when you arrive at a Computerisms service whose real name does not match the name you used to arrive
    • This will also disable the warning for real non-legitimate sites
  • What this will NOT do:
    • This will not create a trust relationship between your computer and the server
    • This will not warn you when you encounter a site with a "real" fraudulent certificate
  • Open Internet Explorer
  • Click the Tools Icon
  • Select Internet Options
  • Select the Advanced tab
  • Scroll to the very bottom of the list
  • Deselect "Warn about certificate address mismatch*"
  • Click OK
  • Restart Internet Explorer
  • NOTE: Do not do this unless you fully understand the implications of doing so. While this may seem convenient, it also comes with its own dangers. You have been warned!

Firefox

  • What this will do:
    • This will create an exception list specific to Firefox so that it knows not to show you the certificate warning for a specific name of a specific site
  • What this will NOT do:
    • This will not create a trust relationship between the server and your computer, it only ignores this warning
    • This will not make the warning go away if you arrive at a previously excepted site by a different name
  • Open Firefox and navigate to a site that will generate the Security Certificate warning, such as https://rc.computerisms.ca
  • Click on the link called "I understand the risks"
  • Click on the button called Add Exception
  • Click the "Confirm Security Exception" button
    • If the button is greyed out, give it a few seconds and it should come back