What can you learn from a Padlock?

22 Jun

In the address bar of THIS blog, you should see a little padlock…


Blog 2 Chrome image

In this case, using the Chrome browser, it’s before the URL.
Internet Explorer has it after the address bar…
Blog 2 internet explorer

Let’s see what we can learn.

Click the padlock, then click “details”, then “view certificate” (other browsers will have slight variances on how you get to “view certificate”). If you are on a Microsoft Windows PC, you will see something like:
Blog 2 website certificate

Now press the Issuer Statement, and when that screen comes up select “More Info”.

In the Cyber Matters case, you’ll now find a 115-page document describing the policies of the organisation that provided the Certificate. Other sites point you to a web site, where you can click a link to read the policy document. The policy documents all follow a standard template.

Section 1.3.5 and 4.5.2 are interesting – it tells you – the relying party, what you MUST do before being prepared to trust the certificate (and hence trust the padlock).

Section 9 of this policy document is also interesting. In the Cybermatters.info case it says the certificate has been provided for free, and no liability is accepted – it’s free, what do you expect?

That’s one reason why you need to look for Extended Verification certificates by looking for the entire address bar going “green” if you are to trust a site with your personal data.

Details Tab

The details tab on Cybermatters.info’s “view certificate” has other interesting aspects too. Most of this is for the browsers to figure out how to establish trust.

The subject field says “tls.automatic.com”. This would normally be the web site URL. In this case we have to look at the Subject Alternative Name – here we can see CyberMatters.info, but with a host of other sites too.

Cybermatters shares its certificate with these sites, the private key of the web site is not unique to Cybermatters, so the security controls are not unique. What should you expect – it’s free!

More reason to look for Extended Validation certificates, these will typically be unique for each site, reducing risk.

Who could think such a little padlock, has so much complexity and documentation behind it!

 

Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: