Problems with certificate

Several sites hosted on gnu.org.ua offer SSL encryption. When visiting these sites for the first time, your browser may warn you that it does not know the authority that issued the certificate. The exact wording of such a warning depends on the browser you use, e.g. Mozilla shows something like this:

[ Unrecognized Certificate Box ]

Firefox v.3 goes even further in panicking over this subject, as can be seen here.

In this article we will try to explain what this warning means, and what could be done to fix it.

On SSL Authentication

The acronym SSL stands for Secure Socket Layer, a cryptographic protocol that is designed to prevent eavesdropping, tampering, and message forgery. The two main features SSL provides are authentication and encryption. Authentication means that using this protocol you are sure to know the identity of the web site you are using, that is, nobody can create a fake page and slip it under without your noticing it. Encryption means that entire communication with the web server goes over a cryptographically encrypted channel, so that, even if somebody is intercepting the data, it is almost impossible for him to decrypt it.

At the core of the SSL is a server digital certificate, a piece of data that contains the server public key, needed to create an encrypted connection, and data about the organization that are used to authenticate the server. That certificate is presented to you when you first connect to the server.

It is far beyond the scope of this article to explain the mechanism of the encryption used in SSL. After all, it is a purely mathematical concept. We would like to concentrate on authentication properties of a certificate.

As described above, the certificate contains all information needed to identify the party that is running the site. The question is, however, how one could trust this information? For example, I may create a certificate and store there the information about the organization I run, but how will you know that this information is correct and that it was actually me who created the certificate? The solution used this far is to have a trusted third party sign the certificate. Such a trusted third party, also called a certificate authority, is an organisation that you trust, so that when you see it has signed my certificate, you can be reasonably sure that this certificate contains truthful data about me and my company.

Of course, this method is not perfect. First of all, you have to trust the certificate authority, which raises a classical chicken-and-egg problem: this authority must itself be authenticated, so another third party is needed who will ensure its identity. Now, yet another authority is needed who will ensure the identity of that third party and so on, ad infinitum. Secondly, why should you trust the third party and not trust me? But that raises one of the ethical problems our society is so full of, and which is far beyond the scope of this article.

Whatever its drawbacks, the third party method is the only one we have so far. So, when your browser receives the certificate from the server, it will first of all verify if its signature comes from an organisation that your browser trusts. If the browser does not know who issued the signature it will warn you in more or less alerting words, as shown at the beginning of this article.

A list of certificate authorities built in each browser is composed using a very primitive principle: to be on the list, a soliciting organization must take money for signing certificates, and must be engaged in a sort of group responsibility with another organizations from the list. Sure enough, this method does not approach us a jot nearer the solution of identification problem, but it makes a good living for certificate authorities. As an example, one of the most important certificate authorities issues its certificates for $995, without bothering to ensure that the data you supply in your certificate is correct. You just pay, and it is enough. As a side note, the job of signing a certificate requires typing some 15 to 60 characters, which means they charge $26 for a keystroke on the average. Quite a good business, indeed.

There are, of course, certificate authorities that base their work on another principles, e.g. there are ones that require a notary verification of applicants, but somehow these do not make it to the list.

So the panic message from your browser means that it does not know the authority that signed the certificate. To prevent this message from appearing again, you should simply inform your browser about UPCASE G, the authority that is signing our certificates, by importing its root certificate. To do so, click on this link and follow the directions of your browser. Normally, you will see a similar dialog box:

[ New Certificate Box ]

Select at least "Trust this CA to identify web sites" and press OK.

For verification purposes, here are the fingerprints of this certificate:

MD5 76:DF:EF:63:15:F0:60:85:9B:A0:69:FE:82:14:A6:4D
SHA1 96:1D:DA:79:60:40:F4:7B:97:85:5B:41:9D:49:51:23:48:23:E3:C8

Upcase G

UPCASE G is a non-profit organization specializing in various security-related solutions. In particular, it signs SSL certificates. In the contrast to another certificate authorities, its method of ensuring solicitor identity is based on long-time personal human contacts. Only those people whom we know long enough to be sure of their personal qualities are able to get their certificate signed. In human relations, that is called friendship. We are sure it is the best authentication method we, human beings, invented so far.

Copyright (C) 2008 Sergey Poznyakoff
Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.