Page 118 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 118
Information Security and Privacy
Notes A digital certificate contains an entity’s name, address, serial number, public key, expiration
date and digital signature, among other information. When a Web browser like Firefox, Netscape
or Internet Explorer makes a secure connection, the digital certificate is automatically turned
over for review. The browser checks it for anomalies or problems, and pops up an alert if any are
found. When digital certificates are in order, the browser completes secure connections without
interruption.
The problem, however, is that anyone can create a website and key pair using a name that
doesn’t belong to them. This is where digital certificates come in. Digital certificates are trusted
ID cards in electronic form that bind a website’s public encryption key to their identity for
purposes of public trust.
Though rare, there have been cases of phishing scams duplicating a website and ‘hijacking’ the
site’s digital certificate to fool customers into giving up personal information. These scams
involved redirecting the customer to the real site for authentication, then bringing them back to
the duped website.
Other phishing scams use self-signed digital certificates to dispose of the trusted third party or
Certificate Authority altogether. The issuer of the digital certificate and the signer are one in the
same. A browser will alert in this case, but most users click through anyway, not understanding
the difference.
Notes Not all Certificate Authorities are equal. Some CAs are newer and less well known.
Two examples of highly trusted CAs are VeriSign and Thawte. If your browser does not
recognize a Certificate Authority, it will alert you.
8.3.1 Verifying the Certificate
Digital certificates play an integral role in keeping online commerce safe. If your browser alerts
you to a problem with a digital certificate, you are well-advised not to click through. Instead,
call the business using a telephone number from your statements or phone book, and inquire as
to the problem.
Public key encryption uses SSL (Secure Sockets Layer) to encrypt all data between the customer’s
computer and the e-commerce website. Information is sent in encrypted form to the site using
the site’s public key. Upon receiving the information, the site uses its private key to decrypt the
information. This is called a key pair. Interlopers that might capture data en route will find it
unreadable.
The CA verifies that a public key belongs to a specific company or individual (the “subject”), and
the validation process it goes through to determine if the subject is who it claims to be depends
on the level of certification and the CA itself.
After the validation process is completed, the CA creates an X.509 certificate that contains CA
and subject information, including the subject’s public key (details below). The CA signs the
certificate by creating a digest (a hash) of all the fields in the certificate and encrypting the hash
value with its private key. The encrypted digest is called a “digital signature,” and when placed
into the X.509 certificate, the certificate is said to be “signed.”
The CA keeps its private key very secure, because if ever discovered, false certificates could be
created.
The process of verifying the “signed certificate” is done by the recipient’s software, which is
typically the Web browser. The browser maintains an internal list of popular CAs and their
112 LOVELY PROFESSIONAL UNIVERSITY
