February 21, 2020

As Signing Certificates involved for me? And how can I be sure?

As Signing Certificates involved for me? And how can I be sure?


In recent months we have a number of situations in which the problems in the certification bodies may unauthorized signature permission

Createor existing signature certificates should be used in a way that is not legitimate. In both cases we have seen that the certification bodies involved rapid response by the revocation of certificates and revocation push into the high-priority updates many puter possible.

Great. But what has all this nonsense?

For example, you can (to think, to ensure that with https that the website that you thought they were visiting) to create a website with HTTPS, but in fact they were not.

rogue certificates for signature not only cause this problem, but you can use one of main elements, that we all depend to remove, and maybe even hold it for granted.

Do not panic, because it notmon ignore not, because if it happens, it’s serious.

must understand This whole chain of events we – is to understand how digital signatures and certificates work, how they relate to the website, and perhaps most importantly, how – at least at a high level lawfully created.

And it all begins with a brief overview of important form of encryption, and the importance of secrets.

Because it’s all a bit too long, I’m going to start with the bottom line.


Certificates: Baseline

averageputer For the user is really a very simple statement we hear all the time:

Keep your system up-to-date

As I mentioned earlier, the false certificates, certain types of attacks. However, the system of mechanisms for “aside” known bad certificates. But of course, only to overrule the familiar and that means that your system has this knowledge.

In scenario discovered recently, Microsoft has an off-cycle update was available for all affected systems.

Use Windows Update to Windows as possible up-to-date. Keep your browser up as possible to keep.

is the single best defense against this specific type of vulnerability.

Well, what turns the fuss is all about …

Asymmetric encryption

Normally, when we think of encryption, we offer a one-time password (or passphrase) to encrypt data and then use the same key to decrypt the data. Unless you somehow know the correct password can decrypt the data.

This is , because of the symmetry – the same password in both the process terminates.

How to guess from the name, is different. The process begins with the generation of a mathematical pair password.

You can do anything you want, but the password must be in a special way that fits beputed to use the encryption algorithm. The results look nothing like passwords, but are simply large quantities, so that instead of calling the passwords, called “keys” and the two are together called generates a “key pair”.

The magic is simple: If we have a few buttons A and B.

  • encrypted data with the “B” key can only be decrypted with the key “A”

Read This is again, if basic, fundamental to this process. This is what most people go:

  • encrypted data by pressing “B” can NO is decrypted with the key “B”.

with a coding, decrypted with the other. That’s the only way it works.

For me it is really magical, but I realize that it justplex math here at work.

Public versus private

In practice, when asymmetric key pairs are created, a “public” key and the other as “private”, which is the basis for . This allows two important applications asymmetric encryption:


  • If you encrypt something with my Public button, then you know that I can only decrypt with my Private button. This allows a secure encrypted data to me, that no one can decipher send.
  • If you encrypt something with my Private key can decrypt someone with my public and so we know that I wish I could have coded . This allows me to prove that I am the source of information, because no one else could be encoded.


What’s important here is that the private key is kept Private . If my private key into the hands of another person, you can decrypt data that is performed by me, and I can say that the data is encrypted, I had not.

This is the reason why private key as a very high security. I have saved me on a hard drive with TrueCrypt encryption – Yes, my private key for asymmetric encryption is symmetric encryption using TrueCrypt protected very long password. My public key, on the other hand, .

Digital Signatures


more in the mix: .

A hash is computed nothing more than a number of other figures. Remember, however, that inputers everything is a number. For example, the text of this paragraph is really just a series of numbers, so for each character, including spaces and.

A simple hash may be the result of the sum of all the numbers. Of course, in practice significantly moreplex hashes. In particular hashes in cryptography uses some very important features are:


  • how small changes hashed data should result in a large change in the resulting hash.
  • It would never be possible to reconstruct the original data from the hash value.
  • It is not for data-hash, that would generate a hash value set.


What does this have to do with signatures? Again math is hard, but the concept is very simple:


  • I can send an e-mail message (for example – a file or a document would be sufficient).
  • Once you create finished, I e-mail. About this hashing algorithm to generate the hash
  • I encrypt the hash with my private key.
  • I contains the hash value encryption to send the message.


, the well-known as a .

What did it all get to me? Confirmation of my identity as the sender and the confirmation that the message has not changed after the signing.

, such as:


  • If the hash value of encryption can be decrypted with my public key, I wish I could have coded with my private key. It would have been me.
  • If the decrypted hash value with the hash value calculated on the basis of the message by the recipient, the message has not changed since I sent it.


With all of the basics out of the way, we can start thinking about certificates and websites.


is a simplification, but a is not much more than a public key with some additional data, which is digitally signed by a third party.

For example, if someone asks you a public key and says, “This is the public key of Leo,” You have to rely on them to be honest and really give Leo public key.

On the other hand, if the public key is also digitally signed by a person other than you must not rely on those key – the validation of the digital signature of a certificate, you can also check if the third party also endorsed claims that Leo button.

If you rely on a third party, you can be sure that Leo is the key.

> This is what happens with https websites.

> If you have a website to visit to https – I own my > as an example – one of the first things the website does is gives the browser of your public key in the form of a certificate.

> Well, without further validation that really tells you very little. The website claims coincides secure.pugetsoundsoftware and public key of what the site use than their private key, but could be created > all > .


> But my certificate is > signed > . I gave my public key to GoDaddy performed basic validation, it was me, I claim to be, and they in turn signed my certificate with a private key. (That’s all “buy

> In this way, like GoDaddy trust – or rather, if you trust your computer GoDaddy, you can be sure that my certificate is valid and that the site connects you – secure.pugetsoundsoftware – really belongs.

> The same applies to signed software. A digital signature can be used in the software that will be used to confirm that the software has not been altered and ITES who says he can be included toe.

> Certificate Authorities

> In the above example is GoDaddy, which is a “Certificate Authority” or simply “CA” – a company that is authorized to sign certificates for use on the Internet.

> If you already have a lot of love and detail at this moment (do not blame you if you are asleep Smile > ), you have a question at this point:

> “If GoDaddy-signed certificate with the private key, how to know your public key, and how, > is > is valid? “

> under the “root certificate”.

> updated on your computer to Windows Update (or, in some cases is in your browser and updated browser updates installed) are a number of certificates of the CAs that the computer or browser implicit trust from the beginning.

> In Internet Explorer, click on the > Tools > Menu > Internet Options > menu item, the > Content > tab, the > Certificates > key, and finally, > Trusted Root Certification Authorities > tab. This long list will appear something like this:


> In my system, there are 39 “Trusted Root Certification Authorities” and GoDaddy’s on one of them.

> If you > real > with eagle eyes, and now I’m going to ask this question:

> “Beware the trusted root certificate for” Go Daddy Class 2 Certification Authority “, but the certificate is signed by” Go Daddy Secure Certification Authority “- Mismatch”

> Not really.

> Some types of CAs can create another CA, certificate chain, or what is called path.


> The certificate for “secure.pugetsoundsoftware” was from an intermediate CA named “Go Daddy Secure Certification Authority” whose own certificate is signed by “Go Daddy Class 2 Certification Authority” signed.

> During a certificate chain terminates at a trusted root certificate installed on your computer is, the trust chain is intact.

> Now it gets interesting.

> Rogue CA

> You can see immediately that, if the private key of a root CA certificates can be stolen then hackers who create as valid allputers are trusted access.

> To the best of my knowledge, that never happens.

> But the same can not be said of the intermediate CA. In 2020 a pair of stations have been hacked and the hacker could Intermediate CA certificates signed by the root CA certificate, so they create “valid”.

> using certificates, which he had created, you can use certificates for the website > all > website that can be trusted intermediate certificate, because that seemed valid and trusted by a root CA. This would fake certificates were then used to “man-in-the-middle” attacks against the Iranians to be carried out on sites like Gmail tries.

> accidentally In a separate incident, Microsoft this flag of allowances to be provided as part of the system “This certificate can be used for code signing.” Citing Sophos Naked Security blog “:

> The Microsoft Terminal Server licensing is used for the administration of licenses and registration in many business environments. Microsoft should be wrongly issued for use on these servers, which can be used to digitally sign code.

> this finally hackers malicious code softwareing, valid Microsoft as part of Windows Update seemed insert.

> Why are bad fake certificates

> What you’re asking is how this affects you, you can averageputer.


> Fortunately, but here’s a frightening scenario:



> Is there really no evidence that it is linked to a fake website malicious, even from http > s > .

> I hope you can see why this is not terriblymon not something a lot of time worrying. First, the hacker somehow break the current security situation of trusted certificate authorities (which are after the recent events, probably safer than ever). Then the hacker must also break > are

Lead> the browsing security in their fake server.

> It is not a simple task. Possibly, yes, and worth protecting, but notmon.

> The revoked certificates

> The current defense Certificate of promise is the concept of a “revocation” certificate.


> two tabs in the dialog box in Internet Explorer > Untrusted Publishers > . These are certificates that expressly repealed and marked as not trusted. If a rogue certificate is signed, or its parent signing certificate chain was revoked, and all other certificates that is signed by the rogue certificate is no longer valid immediately.

Related Post - How can I securely share sensitive electronic documents with my lawyer?

> This is why you keep your system up to date is important. When certificates are revoked – if Microsoft just a few of their own certificates – he retreat from your system as soon as possible will be known.

> The Future

> It is said that the current setting of the digital signature of the CA is fragile – some say broken – for a variety of reasons, the piracy scenario above is an example.

You might also find the following post interesting: Why is my site suddenly disappeared and Facebook tells me

> There are improvements, both proposed and actually slowly to ensure done to increase the safety of the entire system.

> But. From a practical standpoint, I still think the system is basically reliable for daily use and continue my banking and other sensitive online transactions done via https connections

> But in any case, my machine to keep as current as possible to date.

> And it should.

> References

> Ars Technica:

You might also find the following post interesting - How to get a Thai media visa (Non-Imm M)