In the address bar of THIS blog, you should see a little padlock…
Let’s see what we can learn.
Click the padlock, then click “details”, then “view certificate” (other browsers will have slight variances on how you get to “view certificate”). If you are on a Microsoft Windows PC, you will see something like:
Now press the Issuer Statement, and when that screen comes up select “More Info”.
In the Cyber Matters case, you’ll now find a 115-page document describing the policies of the organisation that provided the Certificate. Other sites point you to a web site, where you can click a link to read the policy document. The policy documents all follow a standard template.
Section 1.3.5 and 4.5.2 are interesting – it tells you – the relying party, what you MUST do before being prepared to trust the certificate (and hence trust the padlock).
Section 9 of this policy document is also interesting. In the Cybermatters.info case it says the certificate has been provided for free, and no liability is accepted – it’s free, what do you expect?
That’s one reason why you need to look for Extended Verification certificates by looking for the entire address bar going “green” if you are to trust a site with your personal data.
The details tab on Cybermatters.info’s “view certificate” has other interesting aspects too. Most of this is for the browsers to figure out how to establish trust.
The subject field says “tls.automatic.com”. This would normally be the web site URL. In this case we have to look at the Subject Alternative Name – here we can see CyberMatters.info, but with a host of other sites too.
Cybermatters shares its certificate with these sites, the private key of the web site is not unique to Cybermatters, so the security controls are not unique. What should you expect – it’s free!
More reason to look for Extended Validation certificates, these will typically be unique for each site, reducing risk.
Who could think such a little padlock, has so much complexity and documentation behind it!