Posts Tagged ‘Internet explorer’

Chain Certificates

Tuesday, August 31st, 2010 | Bruce Morton

What are chain certificates? Chain certificates are referred to by many names — CA certificates, subordinate CA certificates or intermediate certificates.  Confused yet? Let’s break it down.

It all starts with something called a root certificate. The root certificate is generated by a certification authority (CA) and is embedded into software applications. You will find root certificates in Microsoft Windows, Mozilla Firefox, Mac OS X, Adobe Reader, etc. The purpose of the root certificate is to establish a digital chain of trust. The root is the trust anchor.

The presumption is that the application developer has pre-screened the CA, ensured it meets a minimum level of trust and has accepted the CA’s root certificate for use. Many application developers, including Adobe, Apple, Mozilla, Microsoft, Opera and Oracle, have root certificate programs. Others rely on the roots provided by the underlying operating system or developer toolkit.

One of the main functions of the root is to issue chain certificates to issuing CAs — the first link in the chain of trust. Your Web browser will inherently trust all certificates that have been signed by any root that has been embedded in the browser itself or in an operating system on which it relies.

Why do you need an issuing CA? The purpose of the issuing CA is to isolate certificate policy from the root. Issuing CAs can be used to issue many different certificate types: SSL, EV SSL, Code Signing, Secure Email, Adobe CDS, etc. These certificate types are subjected to different requirements and risks, and as such have different certificate policies. The certificates may have different assurance levels such as high, medium and low. Issuing CAs may also be controlled by an organization other than that which controls the root.

The last link of trust is that between the end entity certificate and the issuing CA. In the case of an SSL certificate, the end entity certificate represents the linkage between a website owner and the website domain name. The SSL certificate is installed on the Web server along with the chain certificate. When a user browses to the website protected by the SSL certificate, the browser initiates the verification of the certificate and follows the chain of trust back to the embedded root.

In some cases, the CA may have chosen to issue end entity certificates directly from the root CA. This is an outdated practice; issuing directly from the root increases risk and limits how certificate policy can be managed and enforced. Issuing directly from the root can also impact performance as the browser may have to verify a large certificate revocation list (CRL) during its chain validating process. Major public CAs are discontinuing or limiting this practice.

When you receive an Entrust certificate, we provide any required chain certificate complete with installation instructions.

Tags: , , ,
Posted in Browsers, EV SSL, Technical | Add Comment | No Comments »

Is Your Browser Safe?

Monday, January 18th, 2010 | Steve Duncan

An interesting article appeared on BBC today outlining how France and Germany are urging users to abandon Internet Explorer due to a vulnerability that allows malicious code to attack sites.  Those claims are bound to get headlines.

When you read further into the article however, its clear that the vulnerability affects version 6 of Internet Explorer, not the latest version 8.  In fact all older versions of browsers are susceptible to malicious software.  Rather than urging users to abandon their current browsers (which brings on a whole new set of challenges), users should be urged to update their browsers.

Older versions of browsers could be the greatest threat to online security.  Taking a look at the last 50,000 visitors to Entrust.net I thought it would be useful to see who’s using the latest version of which browser.  Of the Internet Explorer users, only 36% were using the latest version 8 of the browser.  Of the Mozilla Firefox users, 39% were using the latest version.  It’s a little better when you examine other browsers such as Safari, Chrome and Opera but their total share is just over 10% combined.

There was a time when CA vendors sold SGC certificates that would provide security for very old browsers (at least 9 years old!).   It’s possible some CAs still charge a premium for these.  The thinking was that there’s bound to be a small handful of users that need to conduct transactions securely on browsers that didn’t offer strong encryption.  In fact, websites would be doing these users a favor by not allowing the secure connection, given how risky their old browsers are.  Entrust wrote a white paper on this very subject.

The best defense whether you’re using Internet Explorer, Firefox or any other browser is to make sure you’re using the latest version that has been adequately patched.

Tags: , , , ,
Posted in Browsers, Uncategorized | Add Comment | No Comments »