From Aktivix
Jump to navigation Jump to search


This page is here to give more information about site certification - in particular why some readers are likely to find that this site flags a security warning when they try to view it. It was created because I had a query from someone who wanted to join a list that I admin who was worried that she was exposing herself to a security risk by joining the list, and I want there to be some reliable information that I can copy and paste to send to anyone in the future who has a similar query. I am hoping that someone who knows more about the technicalities than I do will edit this page and make sure that it is correct. I've put (*check*) where I'm not sure that what I'm saying is right, and (*edit*) when I think more information is needed. --AndyBaxter 18:22, 4 December 2007 (UTC)

Why does aktivix.org cause a security warning in some web browsers?

The short explanation is that we are unwilling to pay quite large amounts of money for digital certificates from the mainstream bodies which issue these certificates, and have chosen instead to get a free certificate from a certificate authority which is not so widely recognised, but provides much the same thing for free as the commercial companies that mainstream sites use. Although site certificates are meant to ensure that you are indeed viewing pages from our server and not somewhere else, this only works if you, or the people who distribute your web browser, have decided to trust the certificate authority which issues them. Most browsers are configured to trust a list of around 20-30 bodies which issue certificates to websites but the one we use, cacert.org, is not included in this list for many popular browsers. This means that you have to make a personal decision whether to trust certificates from cacert.org, rather than having this decision made for you by the people who distribute your web browser. The rest of this page goes into more detail about what site certificates are, and why aktivix.org use ones from cacert.org, so that you can make up your own mind whether you are happy to view pages from this site. It's worth noting at this point that:

  • The kind of attacks described below are difficult and rare, so it's not worth worrying too much about them. This information is meant to let you know more about why this site can cause a security warning, and give you some basic information about what a secure site is so you can judge for yourself how far to trust them, not to frighten you off using the net, or this site, at all.
  • When you sign up to an email list or view a wiki page on this site, you are not revealing a great deal of personal information in any case. Viewing a page here would just tell someone your internet address and the name of your ISP, and signing up for a list would reveal your email address but not any other personal information. In other words it's not like someone breaking into your online bank account.

What do certificates protect against?

Normally, when you view a web page, your browser sends a request out onto the internet which is addressed to another machine, elsewhere on the net, which keeps the pages for the web site you are looking at. The request contains the address of the page you are looking for, plus some other information. The server then sends back a reply containing the data of the page, and your browser displays this on your screen. There is usually no direct connection between browser and server - instead the numerical address which is included in every packet of data sent onto the net is used by a series of intermediate machines, called routers, to send the data to the right part of the net. There may be several routes the data can take, and it is even possible for the packets making up a single web page to have come back to you through more than one route. When the system is working normally, a packet sent to a particular address will be routed to the correct machine, the return packets will go back to the machine that sent out the request, and the network itself makes sure that you are talking to the right machine. However, there are various ways in which this process can be hijacked to allow a third party to spy on, interrupt, or modify the traffic, or to route traffic to a server it is not intended for. (*edit* - which I know very little about - could someone maybe fill in a few sentences here?). The two main attacks that secure sites, and site certificates, are meant to prevent are:

  • Someone who wants to spy on or modify the traffic between you and the server.
  • Someone who is routing data intended for one server to another one which they control.

The section below explain more about how secure sites work.

Public key encryption

This is a summary of information on various pages from wikipedia.org, which you should read if you want fuller information. See http://en.wikipedia.org/wiki/Certificate_authority, http://en.wikipedia.org/wiki/Transport_Layer_Security and pages linked from there. Modern cryptography, as used for secure communication on the internet, uses a system called public key encryption, in which each person or organisation has two keys, a public one and a private one. Messages can be encrypted using the public key, but can't be decrypted without the private key - the public key alone isn't enough - so it is safe for people to give others their public key knowing that only they can decode messages encrypted using it, as long as they keep their private key safe. This is used to enable secure communication on the internet, among other things. When your browser contacts a web server using secure http, the server replies with its public key, which the browser then uses to encrypt a message containing another key. This key is then used to encrypt the data being transferred between browser and web server. Public key encryption is too slow to be used to send large amounts of data in real time (*check*), so a more traditional cipher is used for this part, which relies on a single secret key which only the browser and server know. Whenever you see 'https://' in the browser's address bar, this scheme is being used. For example when you log in to a secure site it protects your password. This scheme (which is known as Secure Socket Layer, or more recently Transport Layer Security) is your main defence against someone eavesdropping on the connection between you and the server, but is not complete without some way of guaranteeing that the server which sent you the initial public key is the one you thought it was.

Digital certificates

So far, so good - people can now send data over the internet without anyone who might be eavesdropping on the connection being able to read the data. However, there is still the risk of impersonation - in principle someone who was able to hijack part of the connection between your browser and the server could direct traffic to that server to another server which they control. This is the problem that digital certificates, and certificate authorities, are meant to solve. Suppose that someone who has malicious intentions towards you or the site you are talking to has control over one of the machines that your data is routed over, and that this machine is the only route, or the most commonly used route, the data takes. They could set up a fake server which would send you its own public key, and although the connection between you and this server would be 'secure', you wouldn't be talking to the server you thought you were. Site certificates are meant to prevent this kind of attack. These are documents containing some information about the site, in particular its domain name, which have been digitally signed by a certificate authority. By issuing one of these certificates, the certificate authority is certifying that the person or organisation they issued the certificate to is the legitimate owner of that domain name. These signatures can be checked using a variant of public key encryption. Here the private key is used to sign documents in such a way that anyone who has the corresponding public key can be sure that only the person who has the private key could have made that signature. When talking to a secure website, what happens is that your browser will look at the certificate and check it using the public key of the relevant certificate authority. If it checks out, then the browser knows that that CA has vouched for the owner of the certificate as being the legitimate owner of that domain name, and proceeds with the rest of the connection. If the signature is invalid, or the browser doesn't have a key for that CA, then a warning message is displayed.

Certificate Authorities

(*edit* This needs filling in a bit) The way certificate authorities decide whether to vouch for a person or organisation depends on the CA concerned. Most are run as commercial businesses, and charge fairly large amounts of money yearly to issue a certificate to a site. Cacert.org certifies sites on the basis that if mail sent to postmaster@sitename.org reaches a given person, then that person must be the legitimate owner of the domain sitename.org (which is a fair assumption). These certificates are free, partly because the certificates are issued automatically by their server to anyone who asks for one, and partly because cacert is not run as a commercial business. One reason why not everyone uses cacert.org to certify their site is that it is not in the list of CAs considered trustworthy by the organisations who distribute mainstream web browsers. In particular, neither microsoft nor mozilla.org (who release firefox), include cacert's public key in their browsers, which means that many people will get a warning message when they try to view this site.

Cacert and aktivix.org

(*edit* I think someone who is more involved than I am in aktivix.org should write this bit, which is meant to explain why aktivix.org has chosen to use cacert as its certificate authority)

aktivix.org certificates and fingerprints

A list of current fingerprints of for aktivix.org services is on Aktivix.org service certificate details

What you can do

This section explains what you can do if your browser has flagged up a warning, in particular if you were trying to view the subscription page of an aktivix.org email list. Some of your options are:

  • Decide to trust that your connection to aktivix is working normally, or that you don't care if the limited amount of personal information you are disclosing is found out by someone else, and tell the browser to allow access to aktivix.org either temporarily or permanently.
  • In the case of email lists, you can subscribe by email. For a list called MyList@lists.aktivix.org, you would send an email to MyList-request@lists.aktivix.org with the subject line 'help' and no body. The list server will then send you back more information on how to subscribe.
  • You could also contact the list owner directly and ask them to subscribe you. In this case, send mail to MyList-owner@lists.aktivix.org .
  • Or, if you have managed to follow the explanation above, and are happy that cacert.org is a reliable certificate authority, you can manually add their public key to your browser's key ring by visiting http://www.cacert.org/index.php?id=3 and clicking on the link which says 'Root Certificate (PEM Format)' then following your browser's instructions. This will remove the warning on this site, and also any others which are certified by cacert.org.