Economic Privacy

Security Certificates

Tyrone Thursday July 10, 2014

When you visit a web site that is using transport layer security (TLS), or the older secure sockets layer (SSL), the web server should present a security certificate to your browser. You might be familiar with the way the web address for "secure" web sites appears in your browser's location window with https:// instead of simply http:// as the beginning part of the location. That "s" represents "secure."

But, how secure is it? And, given that you are not a trusting soul, who are you trusting with this security? It should make a difference to you, since you will see that "https" invoked on the web pages where you are asked for information such as your credit card or log-in particulars. Given that you don't trust the web page without seeing its security certificate, how do you know you can trust it *after* seeing the certificate?

Or, put another way, are you simply multiplying entities without any reason to do so? William of Ockham, a scholastic philosopher in Fourteenth Century England, argued that a solution that has fewer assumptions is more likely to be correct than one that has more assumptions. If you don't know who made the web site well enough to trust them, but you trust the people who issued them a security certificate, even though you don't know those people, either, you are not any better off. You might be worse off, since you might be trusting more people you have no information about.

Your browser probably has a "root certificate list" referenced somewhere in its code. So, when your browser goes to a web site that is preceded by https, it queries that site's server for the security certificate. It then attempts to establish whether that certificate is signed by a certificate authority found in the browser's root certificate list.

Unfortunately, having a security certificate signed by an official certificate authority presents a certain amount of risk. In particular, people in government may demand that the certificate authority supply them with another apparently valid site certificate. They would then be able to use this certificate to carry out a man-in-the-middle attack in order to capture all the traffic to that site, without detection either by the visitors or even the site itself.

There are various other reasons to be sceptical of the security of transport layer security web sites. They use a level of encryption that has been broken by the NSA, according to documents released by Edward Snowden. But, given that the transport layer security in place is better than nothing, what can we do to protect ourselves from the man-in-the-middle attack by (evidently untrustworthy) government agencies? The answer is to use a self-signed site certificate, which we at SilentVault.com are doing.

Your web browser won't warn you against visiting our site because we did opt for a certificate authority issued site certificate. On other sites which do use self-signed certificates, you can work your way past those warning screens. As you do so, you should check the site certificate and record the key fingerprint for the site. When you visit the site in the future, check the page info (in Firefox, under the Tools menu) and the security tab should reveal the key fingerprint.

For SilentVault.com, we opted to use a certificate issued by GoDaddy.com to avoid all the warning screens that make many people nervous. Although we don't agree with the warning screens, we are trying to make a service that appeals to enough people in the world to make a profit for our company. Even so, you may want to look at the security certificate from time to time to verify that it remains the same certificate.

For our site certificate, the SHA1 Fingerprint is CB:E6:B4:CD:B9:FD:7C:88:B0:08:96:2E:BB:0A:1F:AB:F9:BD:2F:2C

The MD5 fingerprint for our site is: 60:51:83:E1:E0:77:33:3F:3A:3A:B4:EC:0E:CF:7B:94

You should also be aware that the SilentVault.com site itself is not involved in actual transfers from one wallet to another. Payments are made using the Voucher-Safe network, which has its own security features.

If you find the process of tracking fingerprints for secure sites to be bothersome, there are plugin extensions for web browsers which automate this task for you. Certificate Patrol at http://patrol.psyced.org/ is an example. A plugin such as CertificatePatrol will warn you even when a CA-signed "official" certificate changes, which makes possible the detection of a man in the middle (MITM) attack by government or anyone else.

Another useful plugin is HTTPS Everywhere, from the Electronic Frontier Foundation:


This plugin automatically substitutes https for http for numerous popular sites.

Now, having reviewed the issue of whether you are more or less secure trusting a certificate authority that has issued a site certificate for a site that you aren't sure you trust, you might apply this same reasoning to people you don't know whether to trust and the driver licensing authority for your region. If you don't know the person with whom you are dealing, are you trusting more or fewer persons if you ask to see their government-issued identity papers? Obviously, you would be trusting more persons. Worse, the people you are trusting to issue a valid government ID are almost certainly completely unknown to you. So, instead of trusting a complete stranger standing in front of you, because you see his or her ID, you are trusting a set of complete strangers you aren't anywhere near.

The point of that particular analogy is that the government isn't making your world safer and more secure by issuing identity papers to everyone. Back in the 1940s, when a character in a film would say "papers please" many audiences would boo loudly to indicate their displeasure. After all, it was the very large capital letter "J" on German identity papers of the 1930s and 1940s that led a great many individuals to be sent to death camps. The identity system is not serving your best interests. You should be wary of it.