Security

Untrusted Certificate Source

How can I tell if an SSL certificate is from an un-trusted source or not before I enter the secured site?

Any website operator that wants to secure the site or some of it’s pages with SSL must obtain a valid certificate from a trusted third party CA.

If you try to enter a secure website that uses a certificate from an un-trusted CA, like the MCP Secure site on Microsoft’s website at http://www.microsoft.com/traincert/mcp/mcpsecure.asp you will get a secure website warning (This was true for the 29th of January 2003 – read more about it on the Expired SSL Website Certificate page):

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

If you click OK your web browser will try to obtain the signed certificate from the web server, but if that certificate is signed by an un-trusted CA you’ll get this warning:

You can choose to view the certificate and if you do you’ll see (on the General tab) the reason for the error message:

If you click on the Details tab you can see that this specific certificate is outdated:

If you choose to agree to accept this certificate you will be able to enter the secure site, providing it is indeed a secure and valid site, and not an exploit or a redirected malicious site.

Note: Having respected sites like Microsoft’s use expired certificates or certificates from un-trusted CAs is somewhat irresponsible in my opinion. Any hacker or malicious user with little HTML, X500 and hacking knowledge can easily divert the innocent and un-expecting users to a malicious site (by breaking into the DNS servers that are authoritive for the microsoft.com domain) where he or she can easily create a similar digital certificate. Users will then be tempted to accept the certificate although it is clearly either expired or (what’s even worse) from un-trusted CA (one that the hacker himself can easily set up by using Microsoft-like domain names). People who will log on to the so-called secure site with their MSN Passport accounts will then be giving this information to the hacker, which in turn can use this information to do wrong or even steal other information.

Related articles

You might also want to read the following related articles:

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (1)

One response to “Untrusted Certificate Source”

Leave a Reply

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: