A customer called up concerned the other day after getting a dire looking warning in Firefox3 regarding a self-signed SSL certificate.
“The certificate is not trusted because it is self signed.”
In that case, she was connecting to her Plesk Control Panel and she wondered if it was safe. I figured the explanation might make for a worthwhile blog entry, so here goes.
When you connect to an HTTPS website your browser and the server exchange certificate information which allows them to encrypt the communication session. The certificates can be signed in two ways: by a certificate authority or what is known as self-signed. Either case is just as good from an encryption point of view. Keys are exchanged and data gets encrypted.
So if they are equally good from an encryption point of view why would someone pay for a CA signed certificate? The answer to that comes from the second function of an SSL cert: identity.
A CA signed cert is considered superior because someone (the CA) has said “Yes, the people to whom we’ve sold this cert have convinced us they are who they say they are”. This convincing is sometimes little more than presenting some money to the CA. What makes the browser trust a given CA? That would be its configured store of trusted root certificates. For example, in Firefox3, if you go to Options > Advanced > Encryption and select View Certificates you can see the pre-installed trusted certificates under the Authorities tab. Provided a certificate has a chain of signatures leading back to one of these Authorities then Firefox will accept that it is legitimately signed.
To make the browser completely happy a certificate has to pass the following tests:
1) Valid signature
2) The Common Name needs to match the hostname you’re trying to hit
3) The certificate has to be within its valid time period
A self-signed cert can match all of those criteria, provided you configure the browser to accept it as an Authority certificate.
Back to the original question… is it safe to work with a certificate which your browser has flagged as problematic. The answer is yes, if the problem is expected, such as hitting the self-signed cert on a new Plesk installation. Where you should be concerned is if a certificate that SHOULD be good, such as your bank, is causing the browser to complain. In that case further investigation is definitely warranted. It could be just a glitch or misconfiguration. It could also be someone trying to impersonate the target site.
Until next time… go forth and encrypt everything!