Liability Allocation in a Public Key Infrastructure," which appears in Volume 33 of the San Diego Law Review He serves as Vice Chair of the Electronic Commerce Subcommittee of the American Bar Association's Committee on the Law of Commerce in Cyberspace.
Chapter 7. Certification Authorities and Server Certificates
7.3 Server Certificates
7.3.4 When Things Go Wrong
When a web browser makes a connection to an SSL web server, it performs checks on a number of the fields in the server's X.509 v3 certificates. When the contents of the field don't match what the web browser expects, it can alert the user or disallow the connection.
This section summarizes some of the problems that can befall even the most well-intentioned site administrators.
7.3.4.1 Not yet valid and expired certificates
When a web browser opens an SSL connection to a server, it checks the dates on the certificates that the server presents to make sure that they are valid. If the certificate has expired (or if the client's clock and calendar are not properly set), it will alert the user.
If the server's certificate is not yet valid, Netscape Navigator 3.0 will display this message:
[KEY ICON]
sitename is a site that uses encryption to protect transmitted
information. However the digital Certificate that identifies this site is not yet valid. This may be because the certificate was installed too soon by the site administrator, or because the date on your
computer is wrong.
The certificate is valid beginning Tue Jan 04, 1996
Your computer's date is set to Thu Nov 08, 1990. If this date is incorrect, then you should reset the date on your computer. You may continue or cancel this connection
[CANCEL][CONTINUE]
If the certificate is expired, the words "not yet valid" will be replaced with the word "expired." Pressing "Cancel" aborts the download. Pressing "Continue" carries on, as if the certificate is valid.
If the date on the end user's computer is wrong (as is the case in the example above), then the user will get another message saying that the certification authority is not good yet either, as shown in Figure 7.3.
Figure 7.3. Pressing the "More Info..." button reveals the certificate for the Certification authority, as shown in Figure 7.4.
Pressing the "More Info..." button reveals the certificate for the Certification authority, as shown in Figure 7.4. Figure 7.4. Result of pressing the "More Info..." button (Netscape Navigator 3.0)
Internet Explorer 3.0 simply displays an error message, as shown in Figure 7.5. Figure 7.5. Wrong server address
7.3.4.2 Wrong server address
Web server certificates contain a special field that indicates the Internet hostname of the computer on which the server is running. When a browser opens an SSL connection to a web server, it checks this field to make sure that the hostname in the certificate is the same as the hostname of the computer to which it has opened a connection.
The purpose of this check is to ensure that certificates will be used only on the particular machine for which they are issued. This allegedly provides more security: through an attack called DNS spoofing, it's possible to confuse the client computer's system that translates between domain names and IP addresses. The client
Because of this checking, if you change the name of your web site, you will need a new certificate. For example, if your web site is at www.company.com, and you decide that forcing people to type "www." is stupid, you will need a new certificate when you change your web site's address to company.com.
Netscape Navigator Version 3.0 handles this situation quite gracefully. It displays a Certificate Name Check window. The message inside the window says:
The certificate that the site sitename has presented does not contain
the correct site name. It is possible, though unlikely, that someone may be trying to intercept your communication with this site. If you suspect the certificate shown below does not belong to the site you are connecting with, please cancel the connection and notify the site administrator.
Here is the Certificate that is being processed:
_____________________________________________________ Certificate for:Company Name
Signed By: Certification Authority
Encryption: Encryption technique[More Info...] ______________________________________________________
A friendly "More Info..." button lets you display the site certificate and the certificate of the CA.
Microsoft's Internet Explorer 3.0 allows you to set whether or not you wish to check hostnames. If this check is enabled, Internet Explorer displays a similar message, as shown in Figure 7.6.
Figure 7.6. Internet Explorer 3.0 asks if you want to check hostnames
Clicking "View Certificate..." lets the user view the certificate. Clicking "About Security..." brings up the Microsoft Internet Explorer help system. And clicking "Do not show this warning" disables the check on future web pages.
Further information can be found at http://search.netscape.com/newsref/std/ssl_2.0_ certificate.html. 7.3.5 Netscape Navigator 3.0's New Certificate Wizard
If you connect to a web site that has a certificate that was not signed by one of the certification authorities that is built into your web browser, Netscape Navigator 3.0 will run a "wizard" that will allow the user to add the new certificate. The certificate must be added to Navigator 3.0's database to establish secure
communications with the site.
Navigator's new certificate wizard can be used to add new CA certificates as well as site certificates for sites that are signed by unknown CAs.
To demonstrate this, Simson created a certificate for Vineyard.NET, Inc., signed by Vineyard.NET's secret key. He then clicked into his own self-signed web site. Netscape Navigator displayed a series of ugly dialog boxes that only a geek could love. They look equally bad under Windows, UNIX, and the Macintosh operating systems. The first box is shown in Figure 7.7.
Figure 7.7. Netscape Navigator 3.0's dialog boxes could only be loved by a geek
Here's the text for Netscape's New Site Certificate box:
vineyard.net is a secure web site. However, Netscape does not recognize the authority who signed its Certificate.
Although Netscape does not recognize the signer of this Certificate, you may decide to accept it anyway so that you can connect to and exchange information with this site.
This assistant will help you decide whether or not you wish to accept this certificate and to what extent.
This panel means that Netscape Navigator 3.0 will switch into encrypted mode, but it can't guarantee that the web site you are communicating with is actually "who" it claims to be.
Because the site's certificate isn't signed by a recognized CA, Navigator has an option that can notify you before you send information to the site through a forms-based submission. A checkbox on the third panel allows you to control this option:
If you click Next, you'll get the second panel: Netscape: New Site Certificate
Here is the Certificate that is being presented:
Certificate for:Vineyard.NET, Inc.
Signed by: Vineyard.NET, Inc.
Encryption: Export Grade (RC4 Export with 40-bit secret key)
The next window has more information:
The information that Navigator displays is taken directly from the X.509 certificate. Specifically, Navigator displays the distinguished name, the common name (CN), the organization name (O), and the country (C). Once you have installed the certificate for a site in this manner, you can exchange information with it using SSL. However, as the warning indicates, because the site's digital certificate was not signed by a recognized CA, you don't really have any assurance as to whom you are communicating with.