In your everyday use of the Internet it’s almost guaranteed you’ve dealt with a security certificate at some point. You may not realize it, but when you’ve clicked to make a purchase or securely logged into a webpage there is a Secure Socket Layer (SSL) transaction taking place. This standard security technology allows an encrypted link to take place between a server and client. Sensitive information like your credit card number, your SSN, and other personal data can be transmitted securely and with no effort on your part. Pretty nice, huh?
The SSL protocol was created by Netscape. Some of you may recall that the Netscape Navigator was once one of the most dominant browsers on the World Wide Web. Netscape was credited with creating SSL for securing online communications between web servers and browsers. This protocol uses a third party or Certificate Authority (CA) to issue a security certificate or digital certificate. This digital certificate contains a public key and the identity of the owner. A matching private key is kept secret by the end user who generated this key pair. So if I maintain a website I can obtain a digital certificate from a third party trusted entity to verify the identity of my site on the web. It’s just like an employee using a driver’s license as a form of identity when applying for a job. A typical digital certificate will contain the owner’s name and other information about the public key owner. Modern browsers like Firefox, Safari, and Chrome, as well as operating systems like OSX and Windows, maintain lists of trusted CA root certificates. This way they can verify a commercial CA that issues and signs certs.
Security Certificate Real World Example
So let’s give you a real world example of what we’re talking about when it comes to a security certificate. Let’s say I want to log into PayPal to make a transaction. I type in the URL of the site, www.paypal.com, in my browser address bar and I will be immediately be directed to a secure page, https://www.paypal.com/home. PayPal’s web server then send its public key with its security certificate to my browser. The browser will then check that the security certificate was legit. You remember that list of trusted root CAs we talked about earlier? The certificate associated with the PayPal site will have been generated by a trusted root CA. Once the browser has determined the PayPal website is operated by its true owner (and that the cert is valid), by showing the security certificate to your browser, a secure transaction can commence. At this point you would see the cute lock symbol on your browser. You are now clear to transact an encrypted session. The exchange of data that takes place at this point is a matter of public key cryptography (see our previous blog post) which allows data to be unlocked for your viewing pleasure and nobody else can see it.
Now I’m sure you’ve navigated to a website on your browser and you instantly got a warning you that the site you were on may not be secure. In this case you would never want to send your data over because you could be on a fraudulent site and even worse, the victim of a man-in-the-middle attack. This is why it’s always good to stick with sites you trust and if possible those that are verified and use a security certificate. Happy surfing!