Problem solve Get help with specific problems with your technologies, process and projects.

Can a certificate authority be trusted?

In this expert Q&A, Ed Skoudis reveals what research needs to be done before importing a certificate into your browser.

How are we supposed to check a root certificate out of the hundreds of certs issued by companies we've never heard...

of? I found VeriSign's page of certificate fingerprints, plus root bundles for VeriSign and Thawte, but checking that those agree with a browser is not easy.

This is one of the dirty little issues of Secure Sockets Layer (SSL) and its related certificates. SSL provides rock-solid encryption between a browser and a Web server. But if you can't verify the certificate, you might have a rock-solid encrypted connection to a bad guy pretending to be your bank. You can't really tell.

Your browser tries to verify the certificate automatically by relying on a group of trusted certificate authorities in its certificate store (To view them in IE, go to Tools; Internet Options; Content; Certificates; Trusted Root Certification Authorities.). Look in that list of "trusted" companies. Do you trust them? And, do you trust everyone that they've said you should trust? If not, you may want to pare down that list of companies.

If your browser does not trust a given certificate that is presented, it pops up a dialog box about the problem, asking the user if he or she wants to trust the given organization. If the user clicks OK, the default action for IE and Firefox is to trust the certificate for that one session. However, keep in mind that one session is all an attacker needs to undermine a user's account. And most users don't even read or understand the dialog box, so they blindly trust whatever certificate is presented to them.

But you, dear questioner, are obviously smarter than that, hence your question. So, what can you do if you receive a cert warning from your browser, and when you click to get more details, it reveals a company that you don't know? Well, as you point out, you can look at various certificate authorities' lists of trusted certificates, provided that you trust those CAs. Here's a look at Verisign's certs.

But, how do you know whether you should trust a given CA? The only way you can know for sure is to research the company behind the certificate. Google searches can get you started. Check out a CA's certification practice statement (for an example, look at the one from IdenTrust). If you feel like you want to trust the company, you can get its own certificate, which you can then import in your browser. You can download the root certificates from most CAs by doing a Google search for: site:[CA_Company].com root certificate download. But, make sure you get that certificate from a trusted, legitimate Web site.

As you can see, we have a chicken-and-the-egg problem here. How can you check if a site is legitimate so that you know to trust its certificate? Why, you'd check its certificate, wouldn't you? And therein lies the problem behind SSL.

So, while still trying to do business on the Internet, investigate those CAs that you can, and keep your trust down to a minimum.

More on this topic

  • Has your digital certificate gone bad? Make sure to keep track of your certificate's expiration date.
  • Learn when it's appropriate to design your own certificate authority.
This was last published in April 2007

Dig Deeper on PKI and digital certificates