SSL

SSL

To protect cleartext passwords from intercepted when logging in to various services provided at my domain, I have been utilizing SSL certificates signed by CACart on at least the web servers.  Since CACert’s root certificates have not yet been bundled in any browsers so far (there were talks around 2006 that Mozilla derivatives were going to be be shipped with CACert’s root certificated, but that never happened, and it appears that plan has been abandoned), users navigating to SSL encrypted pages within my domain (peterchuang.com) will be presented with warnings about invalid certificates.

There are at least 3 choices:

  1. Do nothing, and don’t come in to my site.
  2. Add my site’s certificate to your browser’s trusted store.
  3. Add CACert’s root certificates to your browser’s trusted Root certificate store.

The simplest solution is #3, by adding (or installing) CACert’s root certificates to your browser’s Root Certificate Store.  When you add CACert’s root certs, your are instructing your browser to trust all certificated issued by CACert.  Other commercial certificate venders like Verisign, pay browser makes like Mozilla, Microsoft, Google, and Opera to have their root certs bundled so that SSL certs issued by them will be trusted.  CACert, on the other hand, is an open and free platform for doing the same thing, using a Web-of-Trust (WOT) mechanism to boost authenticity of certificates.

SSL certificates generally serve 2 major purposes:

  1. To authenticate the site, whereby ensuring that the website, e.g, bankofamerica.com, is really being operated by the proper authority (Bank of America, or course).  Commercial certificate vendors do this by verifying appropriate records.  An example would be a business license or drivers license.
  2. To allow an end-to-end encryption/decryption of communication between the web server and the end user’s web browser.  The SSL certificate in this case is used for the public key embedded within to exchange a private key used for the actual encryption/decryption.

My my purpose of encrypting sensitive data between the server and browser, encryption is really all that’s what I’m looking for.

By the way, I use a OpenGPG key for other encryption and decryption needs where appropriate.  An example of such an application is email encryption.  Since most people I email don’t really get this more complicated concept, I use email encryption primarily to save some important info or password on Gmail, in encrypted form of course.

It’s important to note that no encryption is crack-proof, however.  The central mathematical theory behind encryption involved finding a very large prime number.  Given enough computing power, such task can always be done within a finite amount of time (at least in theory).  The US National Security Agency has in the 1990s solicited submissions for encryption schemes, and at the end declared AES -256 (Advanced Encryption Standard with a 256bit symmetric encryption key) sufficient for top-secret national security.  I’m sure as time goes on with more powerful computing machines becoming widely available, either the encryption scheme or the key strength would have to be revised and improved.  For the time being, however, such encryption scheme is “good enough.”

Please point out any errors you see above, as I have not done extensive fact-checks.  Thanks.

Peter

Leave a Reply