For those of you who may not know what SSL is, it is the acronym for Secure Sockets Layer. In the case of your website SSL is a way to establish an encrypted connection between your website and a web browser. Essentially this is any browser that a user loads the URL to your website in.
Another term you should become familiar with is TLS. TLS is the acronym for Transport Layer Security. In some cases you’ll see SSL/TLS. TLS is the predecessor for SSL. If you are familiar with the 7 layers of the OSI model, you’ll know that the transport layer is the fourth layer and that it manages the packetization of data and also checks for errors. This layer also provides services for the applications as well. The Transport Layer controls end to end connections and works closely with the seventh layer, which is the Application layer.
In simple terms if your website is “http” and not “https” it is likely that you do not have a certificate and your website is not secure.
My business website is hosted by WordPress.com and while studying for my CompTIA Security+ certification, I’ve decided to take a deep dive into what it means to have a verified site.
ACCESSING THE CERTIFICATE:
I loaded my website in a browser and tapped the lock icon in the top right hand corner. Afterwards, the “Connection is secure” pop up appeared.
From the “Connection is secure” pop up I clicked the “Certificate (valid)” option. After clicking the “Certificate (valid)” option the certificate pop up appeared.
The pop up immediately displayed 3 valuable things within a hierarchical structure:
- DST Root CA X3 – Root Certificate
- Let’s Encrypt Authority X3 – Intermediate Certificate
- aqscorner.com – Domain Name
DETAILS ABOUT THE CERTIFICATE PROCESS:
Let’s Encrypt is an automated and open certificate authority created by the Internet Security Research Group. These certificates provide users with the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free. Since “Let’s Encrypt” is still fairly new it also requires additional verification from another certificate. This process is referred to as cross signing. In the cross signing process the intermediate certificate Let’s Encrypt Authority X3 is signed by ISRG Root X1. ISRG Root X1 is still not yet trusted by most browsers so it’s signed by Certificate authority, IdenTrust, whose root is already trusted in all major browsers. IdenTrust has cross-signed the intermediate certificate using their DST Root CA X3. After that, Let’s Encrypt issues to the domain name aqscorner.com
GENERAL BREAK DOWN OF THE CERTIFICATE DETAILS:
- Subject Name
Each of the 3 items in the hierachial structure (DST Root CA X3, Let’s Encrypt Authority X3, and Domain Name (aqscorner.com) have a subject name. The fields associated with the subject name are the organization and the common name. When you view the details you will see that the organization and common name are similar to one another.
- Issuer Name
Each of the 3 items have a certificate issuer. Digital Signature Trust Co is the issuer for DST Root CA X3 and Let’s Encrypt Authority X3. Let’s Encrypt is the issuer associated with the domain name aqscorner.com
- Public Key Info
Each of the 3 items have public key information displayed. You will see the RSA encryption in the algorithm section. RSA is an asymmetric cryptography algorithm. The value in using an asymmetric algorithm is that it works on two different keys (private and public). The Public Key is given to everyone and Private key is kept private.
Each of the 3 items has an extension. The extension section verifies the key usage. Key usage includes the common digital signature and key certificate signatures. However, it also includes a Certificate Revocation List (CRL) Sign and Key Encipherment. A “CRL” is a list of digital certificates that have been revoked by the issuing certificate authority and should no longer be trusted. Key encipherment is when the key in the certificate is used to encrypt another cryptographic key.
Each of the 3 items has a fingerprint. A fingerprint is the unique identifier of the certificate. In the case of my website SHA-256 and SHA-1 are being used. SHA stands for Secret Hashing Algorithm. The differences between the numerical value is the encryption bit. SHA-256 is a larger encryption bit than SHA-1, as SHA-1 is a 160 bit encryption.
This article is just a general overview to get you started with understanding the security of your website. Take sometime to explore your website certificate to see what you learn.