In my techno thriller Counting from Zero one character asks “isn’t it just about who you trust?” It is a key question in Internet and computer security, as well as in life.
One every day example on the Internet relates to something called digital certificates. When we do online banking, enter our credit card information, or login with a secret password to a site, we rely on our web browser to provide us a secure browsing connection – a connection across the Internet that is encrypted in both directions. Our web browser uses digital certificates to ensure that when we do our online banking, we are communicating with our bank, and not some site pretending to be our bank so they can steal our information and empty our bank account. You will see a padlock or other icon displayed to show that the connection is secure.
Certificates are issued by companies called Certificate Authorities. We trust these companies not to issue certificates to the wrong people or bogus certificates. However, apparently that is what has just happened. Here is an article in Network World about it. Bogus certificates were issued for a number of sites including Google, Yahoo, Windows Live, and others.
When a certificate has been issued in error, it is possible to revoke it, so that your browser will no longer accept it. The bad certificates have already been revoked, and good browsers, listed in the Network World article will stop trusting the bad certificates immediately. However, Microsoft has issued an emergency software update to fix an issue in Internet Explorer related to this. If you use IE you should install the update right away, and perhaps consider switching to a browser such as Firefox.
In Counting from Zero, digital certificates and revocation play a part in the plot, relating to the main character’s attempts to fight a botnet, a collection of compromised computers on the Internet. Also, other issues relating to certificates are discussed, including the question: “What does it mean when my browser gives me an error message about a certificate? Should I just click OK?” The short answer is, of course, No!
Another time I’ll write about my personal difficulties in buying and installing a certificate for my book website https://countingfromzero.net. Notice the URL begins with ‘https’. If you click on the padlock on your browser, you can see details of the encryption and the certificate. I’ll also blog another day about a VoIP security protocol called ZRTP that I’ve been involved with that does away entirely with certificates and all these problems.