Users Ignore Bad Certificates Way too Often (Blog Post #3)

If you’re anything like most users, you might be actively putting yourself at risk with your web browsing behavior. A study conducted by Berkeley and Google presented at the 2013 USENIX Security Symposium found that Google Chrome users click through 70.2% of all SSL Warnings. Although there are occasionally reasons that you might be warranted to bypass a security warning, if you don’t understand what the warning means, that’s not a decision you should make.

When using the web, have you ever seen a page like any of these?

edge-ssl
Microsoft Edge

firefox-ssl
Mozilla Firefox

safari-ssl
Apple Safari

chrome-ssl
Google Chrome

You would think that all the bright colors, bold red text, and strongly worded instructions to abscond would keep users away. Some browsers won’t even let you proceed until you navigate through an “advanced” menu and state you’re going against the browser’s recommendations but time and again I see people ignore everything. I’ve seen everyone from pilots filling out sensitive paperwork to computer science students skip past these pages without pause only to later admit they had no idea why it popped up.

These pages are each respective browser’s response to a bad certificate. Using some complicated math, websites present the user a certificate to prove they aren’t an imposter. If that certificate does not check out, the browser let’s you know like in the above examples. If you aren’t expecting to see this page, you really should not proceed. There are some common misconfigurations on your end that can cause this type of error but you should focus on your problems before putting your safety on the line.

One common reason for this error to occur is that your browser does not trust the authority that issued the certification. For a certificate to be valid, a Certificate Authority (CA) must vouch for/sign the certificate. What if you don’t already trust that certificate authority? Someone else can sign for that authority! By having more-important certificate authorities sign for less important CAs, a chain of trust is established. Eventually your browser will recognize one of these CAs as it works its way up the chain. Once it finds that trusted link, your browser can trust everything else.

CAs

Problems arise when you don’t trust any of the links in the chain. Consumer computers have common root certificate authorities (purple in our illustration) installed by default but some organizations choose to have their own chain of trust. This practice is common in high-security and military organizations or academic institutions. It is very easy however to install additional root CAs so this should never be an excuse to ignore a warning. Just contact the organization in question and request their root CA.

Another possible reason you might see this warning on a legitimate webpage is that your computer’s clock/calendar is incorrectly set. Certificates are only valid for a set period of time so if your clock is misset your browser might think the certificate is not yet active or expired. Changing the clock is similarly easy and should be no reason for you to bypass a warning.

If it is not a misconfiguration, chances are that the webpage you are trying to view is not what you think. You could be presented false information by the imposter, have any data you enter siphoned away for malicious purposes or even be at risk of a malware infection simply by opening the webpage. Whatever the imposter’s goal, you should want no part of it and you will gain very little by visiting the fake page.

You would think that this would be common knowledge but time and again I see my classmates put themselves at risk bypassing warnings. The unfortunate truth is that people simply are not adequately educated on the subject. This can change but only with your help. Tell your friends to heed warnings and practice safe browsing habits. If you like this post, share it and more than anything, stay cyberfluent.

Advertisements
Users Ignore Bad Certificates Way too Often (Blog Post #3)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s