Lecture on Security, Digital Signatures, and Certificates

Secure Communications

The internet is not secure. Sending an email is like sending a postcard: anyone can read it along the way. The same is true of web traffic: when your browser sends a URL, it's readable by anyone along the path, and when a server sends the page back, it's readable also.

So what? What do we care if someone can read a web page? We don't. But what about sending your credit card to a server, like Amazon.com? For that, you can use https.

The way this works is by cryptography, which we learned about last time. Here is an outline of the mechanism:

1. Your browser makes an HTTPS request to the server. This is just like requesting any web page, except that we request that the communication is secure.
2. The server responds first by sending a digital "trunk." (This isn't the technical term; we'll learn that later.) The idea of the trunk is that only the server has the key that unlocks the trunk, but anyone can put something in the trunk and lock it.
3. The browser makes up a secret code, puts it in the trunk, closes the lid (locking up the code to keep it secret), and sends it to the server. Since, only the server can unlock the trunk, no one along the path can get the secret code.
4. The server unlocks the trunk, gets the secret code, and uses it to securely transmit the page. From now on, the server and browser can now communicate in both directions using the secret code, and no one else can read their conversation.

Thanks to the secret code, any information that you send to the web site, such as your credit card number, can't be gotten by anyone along the path.

How Secure Is It?

Very secure. Serious thought by lots of smart people has gone into these secret codes. It would take tremendous resources to crack the codes, and almost no one short of government agencies has those resources.

On the other hand, the web server could be hacked into. None of the things we are talking about make the web server machine any more secure. For that matter, nothing here makes your machine any more secure. In fact, a famous security guy once joked:

[It's] like using an armored truck to deliver cash from someone who lives on a park bench to someone who lives in a cardboard box.

To our knowledge, the only thefts of credit card numbers on the web have been from people hacking into web sites. No one has yet cracked the secure communications.

Moral: If you're worried, read the security information on the web site. Ideally, the personal info (credit card numbers, social security numbers, whatever), shouldn't be stored at all. Failing that, it should be stored on a separate computer.

Spoofing

Here's something that does work, though. It's called "spoofing," and it basically means to impersonate a web site. Spoofing takes some hacking ability, but that's common enough.

Let's make some (illegal) money:

• Set up a web server that claims to be Amazon.com,
• Fake a bunch of web pages (by copying some of theirs),
• Wait for people to order merchandise by credit card,
• Take their credit cards and buy stuff.

What can be done about it? How do we deal with possible impersonation in real life? We have id cards.

Certificates

A certificate is like an ID card for the web. As we saw, when your browser wants to make a secure connection to a server (such as Amazon.com), it requests a "trunk" from the server.

How does your browser know that the trunk isn't bogus? (If you're going to impersonate Amazon.com's server, you might as well supply a bogus trunk).

The answer is that the trunk is labeled with the owner's name and signed by some authority, just as a driver's license might have the state governor's signature on it. Of course, the signature is computerized (digital).

The signed, identified trunk is called a certificate.

Signing Authorities

How does your browser know that the signature on the certificate is valid? Can't the spoofer just put a bogus signature on the certificate? No: a signature can only come from a valid signing authority.

A signing authority is a company that makes money signing trunks. One is called "Verisign." The IT people at Amazon.com go to them, prove that they are valid representatives of Amazon.com, and present their trunk for signature. Verisign signs the trunk, and Amazon.com is now ready to set up a secure server.

We now have:

1. Browser requests page via HTTPS
2. Server replies with a certificate (a signed, labeled trunk).
3. Browser verifies the signature and whether it trusts the signer. If they check out, it uses the trunk to send a secret code to the server.
4. The server unlocks the trunk and uses the secret code to send the web page securely.

Examples

When viewing a secure site, you can double-click on the padlock icon to view the certificate of that site.

• https://cs.wellesley.edu/~cs110/ with a secure connection
• https://www.dartmouth.edu/

Whom do you Trust?

Do this:

• In Firefox, go to Firefox>Preferences..., then click on Advanced, select the Encryption tab, and click on View Certificates. This displays the certificates we've accepted, like this:

  

• These are all the signing authorities that your browser trusts.
• On IE, look at Explorer/Preferences/Web Browser/Security.

What Does Trust Mean?

The signing authority doesn't guarantee that the company is a fine, upstanding pillar of the community, any more than a driver's license does. It just guarantees that the owner is who it claims to be.

Unknown Signers

What if the certificate is signed by an unknown authority? Then you get to engage in the following interesting dialog. To see this dialog, visit

https://cs.wellesley.edu

Click here for some screen shots of what happens with unknown signers.

Expiration

Certificates expire every so often, just like driver's licenses and for the same reasons.

Here's an example of a site with an expired certificate:

https://secure.studio24.net/

More Information

From the W3C Security FAQ, some more information about security certificates and even more information about security certificates [an error occurred while processing this directive]