Following the recent events when hackers broke into CA digital certificate house and practically performed man-in-the-middle attack on the unsuspecting customers of mostly Iranian Gmail accounts I thought it would be nice to have a “what-is” article about the CA and digital certificates in general so we can learn and grow on the subject.
What is a CA?
CA is a short of Certificate Authority, a company calling itself a CA is a registered entity for issuing digital certificates. The important aspect to remember regarding the CA is that every operating system used today has its own internal list of authorized CA in order to have them contacted about the digital certificate they see in the network traffic. If this were not the case, there would be no point in issuing digital certificates because there would be no authority to say that this certificate is valid and that it does represent the web resource it claims to. In order for a company to establish itself as a CA there are numerous steps to follow and many resources and funds to spend. This is normal because if you want to trust someone without questioning that someone has to prove its worthiness first. Every CA has a link to the upper management CA which has the CA in their list of authorized digital certificates issuers meaning that everyone has their watcher and watcher has a watcher too. This goes all up to the registry level where final word is given and only a handful of CAs are in that list.
Every time you visit secure site there are few steps your browser performs to authenticate that the resource you are fetching is the resource it claims to be. I would not go too much into technicality suffice it to say that your browser has a method to establish secure network connection exchanging your random generated private key with publicly available server key of a secured resource. This process ends with digital certificate which server sends to our browser – it is like a passport with bio-metric data. This passport among the data identifying the resource (web site) and their business or organization has an upper level authority link where your browser can verify the bio-metric data if it is correct. This is where your operating system CA list is being queried as a first step, if upper level CA is not in that list your browser will issue a warning or an alert. If the CA is in your operating system list then browser does issue a verification request to that CA to prove that digital certificate is correct – this is called second level authentication. In the nutshell the whole process is transparent to you and you will see a lock icon on the site secured by a digital certificate in your browser if every check pass your browser issue is correct.
Extended Digital Certificate
Have you seen twitter.com on secure connection? If you look closely this secured connection has an add-on where twitter.com is identified by a real company name, location and other company information and your browser is displaying green address bar or a green info box beside it showing this company information. This is called extended digital certificate and the crucial difference to a normal digital certificate is that it has additional data in the passport identifying ownership of the web site or web resource. Your browser still use its CA list to identify if this data is correct on a second level like with normal digital certificate. However extended digital certificate issuer require more information and more proof of the holder in order to have them authenticated. This in the nutshell means that if you have completely green address bar – or in some browser extra information beside the address bar usually also green – you click on that info you will see the real company information behind the web resource. It is an added assurance that the web resource is the real thing.