Certificates, These Unknown Friends…
What is a certificate? Many people do not recognise the importance of such technology. The primary goal is to guarantee the identity of the domain to which the user is connecting. In this way users are sure that connections take place with an authorized server and that no one is able to alter the communication.
There are three main technologies involved in the Internet certificate system: DNS, HTTPS and asymmetric cryptography. The security of the connection between the parties is provided by the HTTPS protocol that guarantees the end-to-end encryption of the communication. DNS is important because it provides the translation of the domain’s name that is contained in the certificate information to the specific IP server. Certificates cannot directly contain IP, that’s why a security popup appears in your browser when you connect via HTTPS to a server by its IP.
The core of the certificate system is indeed provided by asymmetric cryptography. This type of encryption is used in a particular way to provide authentication, it works on two keys: a message encoded with one of the two is decryptable only by the other one and vice versa. So if a user B receives a message from A and is able to decipher it by using the keys he knows, the message could be considered surely generated by using the other key. This property of asymmetric encryption is at the base of how certificates work. From the certificates generation procedure we obtain the two keys, the private one is used from the server to encode outbound messages and the other one must be made available to the user who connects in order to verify messages origin. The necessity of publishing the public key can be accomplished in two main ways: by installing the certificate into the client or through a Certificate Authority (CA).
Relying on a Certificate Authority that has its certificate already installed into the common operating system or browser provides a set of security measures such as revocation mechanism. Futhermore, in order to be included, from devices and software manufacturers, in their lists of trusted certificates, a CA has to follow some specific security guidelines. With technology evolution and with an increasing attention reserved to data protection, free and automated CA like https://letsencrypt.org are born. There are actually even no more economical reasons to choose to release and install self-signed certificates. But, in order to have a secure connection is not enough to have a fully trusted certificate infrastructure. If the server is not properly configured it could expose the secret key or enable eavesdrop of sensitive information. To check the server security against the most known and common security flow you could rely on many testers available online, one of them is https://www.ssllabs.com/ssltest, that provides an easy way to verify the connection security and many suggestions on how to improve it through good configurations examples for the most common server software.