Security certificate question: see details below?

This is complex and messy if I cover the details. So I'll just hit the high spots. Follow along with this streamlined interaction. Remember that all anyone ever knows about the information received from the Internet is that it came from the Internet. It might be a spoof -- Coke sabotaging the Pepsi Web site -- or something less playfully amusing, like a site phishing for account and password information in preparation for soem identity theft. How to weed out some (but of course never all) of the scams?

========

how it works (a sketch)

So. Your browser goes to a Web site. On your behalf, in order to avoid being spoofed by a fake site, it will attempt (*IF* its settings have told it to always do so) to ensure that the web server it's getting a page from is on the up and up. Since a browser is a collection of computer programs, it has no ability whatsoever to make estimates about the validity of a Web server. (Software really is dumb as a box of rocks, and only does the right thing, or appears intelligent, because it's been carefully designed and programmed beforehand.) Accordingly, your browser relies upon something else to tell it about the Web site. And that something else is a Certificate Authority (which will be part of a Private Key Infrastructure -- a PKI). Certificate Authorities are usually, but not always, companies who have set up in business to provide this service for a fee. But certificates are produced by software, and with the right software, you (or anyone else) could produce your own. Whether anyone should rely on those for anything at all is something else altogether.

The only function of a CA is to vouch for some entity (in the case of a Web server, it's the operator of the server machine) as being who it claims to be. In the absence of such a certificate, the Web site might be OK, but no one is vouching for it. Or it might not. You can think of a CA's function as more or less that of a notary public, with similar benefits and problems.

The vouching is done via a Digital Identity Certificate sent to your browser by the site; this is a packet of data, protected cryptographically against alteration of any kind, containing the entity's identity information. Since anyone can generate such a certificate, how can your browser (and, by inference, you as well) rely on its claims about identity? The answer is that your browser already has a certificate for the CA itself which it can use to test (crytographically) whether the Web server's certificate has been is correct. If it is, your browser assumes everything is fine and proceeds.

And how did it get the CA's certificate? Well, it was bundled with the browser itself by the browser maker (eg, Microsoft, the Firefox folk, the Norwegians who run the Opera business, ...). And was included in the browser's operating environment when the browser was installed on your computer. You trust that it's correct because of this history. Don't you? You didn't know anything about all this stuff? Most people don't and just proceed, hoping htat it will all work out right.

And with that comes the skunk at the garden party. You didn't choose anyone's certificate, with certainty approaching 1 as nearly as can be wished. Why should you believe that the browser maker didn't make a mistake about those certificates? Well, you really shouldn't, because such mistakes happen. And CA's make mistakes too, certifiying (through an issued certificate for some entity (company, government, Web site, individual, ...)) that so and so really is so and so, when it really isn't. VeriSign, one of the largest of these CA operators, was fooled by some folks who managed to get Microsoft certificates issued to them merely by paying VeriSign a fee for them. Microsoft didn't know a thing about any of it, it finally turned out. And there was some panic in Redmond when this business came to light, or so legend has it.

One way to reduce the damage a false certificate might cause by leading your brwoser (and you) astray is to include an expiration date in each certificate. A bad one won't be able to last forever, that way. Or to cancel a certificate before it is due to expire when it's discovered to be bogus. Or both. This last is done by producing and making available a revocation list, which is a list of certificates which have been cancelled for one reason or another. So your browser should, before believing a Web server's certificate and so the validity of the site, check the relevant revocation list. The certificate, after all, may have been wrong. Microsoft and VeriSign, to their shame, hadn't bothered to set up a revocation list mechanism and so those two bogus Microsoft certificates had to be rendered harmless by including them in every copy of Microsoft's software, marked as Bad!, Never Believe!.

And that's what your error message is all about. The browser hasn't been able to find a revocation list for that CA to check whether the certificate it's examining has been discovered to be in error, a fraud, etc. If the certificate has been cancelled, your browser can't find it out, and so is asking you what to do. Do you know anything about the certificate? Can you sensibly answer the question? Or can you avoid guessin about it? The answers, for almost all of us, are No, No, and No. Probably not a stiutation in which you are happy to be.

I'd suggest that, if the Web site your browser's looking at is, say, your bank or broker or some other financial institution, you ought not to proceed. Or even if you will be purchasing something from a Web site, and sending something like a credit card number. If all you'll be doing is reading an article, or some such, inability to look at a CA's revocation list won't be so much of an issue.

========

secure software (as good as you can manage)

And overall, you should only use secure (or as secure as you can get, anyway) software. In particular, some browsers have much more worrisome histories of insecurities than others. Recently, Firefox has acquired a good reputation in this respect. Opera has had a good track record as well for now some years. The new version of Microsoft's Internet Explorer is said to be much less insecure and problemsome than prior versions, but until there is some experience with it, it's not possible to really know.

Whatever software you use, it's your responsibility to ensure that it is configured properly. That means you'll have to arrange its settings so that, your browser for instance, always requires a certificate from any Web site it goes to, and reports to you about problems (espiration, check failures, inabitlity to check the revocation list, ...). And this configuration requirement applies to your operating system as well. Merely adding a firewall does not make your computer secure, most especially if your operatijng system is wide open or the firewall is incorrectly configured. Nto so simple in a world in whcih malware, and malice, and idiots, are so common. And so close, since anyone on the Interent is right next to everyone else. This is new in human history; it's always been that the dangers one needed to worry about were close by, not continents away.

2

When you get this message, it's advisory; your Web browser is telling you that an expiration date for the secure server you are visiting has not been set.

All such sercure servers use certificates -- which basically are you insurance that the Web site is legitimate. Those certificates must expire.

If your browser cannot find an expiration date for the certificate, it's possible the certificate is a forgery or has already expired. Your browser is simply telling you that.

You can choose to proceed if you trust the site, but the fact they have not corrected the problem speaks ill of them.

Note to previous answerer: Please don't answer questions if you don't know what you are talking about.

Go to a site where you have provided the necessary revocation information. Always, safe to proceed, with appropriate legal advice.