Chapter 31: Network and Internet Security
Securing Your Web Communication with Encryption and Certificates Browsers store certificates, cryptographic data that can identify your computer to remote computers or vice versa. Certificates are issued by certificate authorities, each of which has its own certificate. Internet Explorer comes with about 30 authority certificates that they can use to check that the certificates presented to your computer by other sites are, in fact, issued by known certificate authorities. To provide secure communication with a remote Web site, Internet Explorer uses SSL (Secure Sockets Layer) to provide a variation of the standard HTTP Web protocol, called HTTPS. Web servers that use HTTPS are called secure servers.
You can also acquire a personal certificate to use to identify yourself when your Internet Explorer or Navigator contacts a Web site. The most widely used authorities for personal certificates are VeriSign, at http://www.verisign.com and Thawte (which is owned by VeriSign) at http://www.thawte.com. See RSA Data Security's list of questions and answers at their Web site at http://www.rsasecurity.com/rsalabs/faq for more information about certificates.
New applets usually are digitally signed by their authors, that is, each applet includes certificate information that identifies the applet's author and verifies that the applet wasn't tampered with since the author signed it. The only way that a software publisher can create an officially signed application is to participate in Microsoft's very costly and involved certification procedures, which we expect that many smaller software vendors won't be able to afford. Unfortunately, the high cost of Microsoft's certification process means that many perfectly safe applets won't be signed and will trigger a warning message when you install them.
Browsing the Web Securely Internet Explorer handles communication security by using SSL (Secure Sockets Layer) to encrypt messages sent to and from remote servers and certificates to verify who the party is at the other end of a connection. For example, you use this type of security when you place a credit card order with a Web-based retailer that uses a secure Web server. For the most part, SSL works invisibly, with all the security validation happening automatically. Internet Explorer, by default, warns you when you switch between secure and normal pages with dialog boxes like this:
(We find these warnings annoying and turn them off.) You can tell whether the current page is secure in the following ways:
- Look at the URL for the page in the browser's Address or Location box to see whether the page's address starts with https:// rather than http://.
- Look at the status bar at the bottom of the browser window to see whether a little lock icon appears, indicating that the connection is secure.
Whenever your browser opens an HTTPS connection to a server that supports SSL, the server presents a certificate to your computer. If the certificate is validated by one of the authority certificates known to your browser, and the name on the certificate matches the name of the Web site, the browser uses the connection and displays Web pages as usual. If either of those checks fails, the Web browser warns you and gives you the option to continue. You see a Security Alert or similar dialog box when your browser can't validate a remote site's certificate. If you trust the source of the file that you are downloading, you can tell Windows to continue and use the connection despite the warning.
Using Object Certificates When Downloading Files Whenever Internet Explorer retrieves a Web page that uses a hitherto unknown ActiveX or Java applet, Internet Explorer checks to see whether your download security settings permit you to download it. If your settings don't permit the download, Internet Explorer warns you and doesn't download the file. You see the dialog box shown here:
Unless a site is in the Trusted Zone (in which case Internet Explorer accepts the applet without question), Internet Explorer checks the certificate with which the program is signed and displays the Security Warning dialog box, as shown in Figure 31-3. You see who the signer is and who verified the signature. If the signer is someone you're inclined to trust, such as a large reputable organization or someone you know personally, click Yes to accept the applet. If you expect always to accept applets from this signer, click the Always Trust Content From ThisSigner'sName check box at the bottom of the dialog box to tell Internet Explorer not to ask about signatures from this signer in the future. (If you check the box and later change your mind, the list of signers you've checked is in the Internet Properties dialog box; click the Content tab and click Publishers to examine and change the list.)
Figure 31-3: The Security Warning dialog box displays certificate information for an ActiveX applet.
Managing Certificates from Certificate Publishers If you expect to download many programs (or display Web pages that contain applets), you will end up with a collection of certificates with which Internet Explorer can verify the sources of the programs. You can see lists of the certificates that you have received. Click the Content tab on the Internet Options dialog box. Click the buttons in the Certificates section of the dialog box.
In Internet Explorer, choose Tools | Internet Options from the menu to see the Internet Options dialog box. Clicking the Content tab and then the Publishers button displays the Certificates dialog box with the Trusted Publishers tab selected, as shown in Figure 31-4. The dialog box lists certificates for software publishers that you have told your browsers to trust (by clicking the Always Trust Content From check box in the Security Warning dialog box, shown in Figure 31-3). New certificates are added when you download authenticated software from the Internet. You can delete a certificate from this list by selecting it and clicking Remove.
Figure 31-4: Viewing certificates from software publishers
Managing Your Personal Certificates You can get your own certificate to identify yourself to secure remote Web servers that demand user certificates for identification. See "Getting a Certificate" later in this chapter for how to get your own certificate for use both on the Web and in sending and receiving secure e-mail.
To see what personal certificates are installed in Internet Explorer, choose Tools | Options, click the Content tab, and click the Certificates button to display the Certificates dialog box with the Personal tab selected, shown in Figure 31-5. You see a list of the certificates you have installed on your computer that you can use to identify yourself.
Figure 31-5: The Certificates dialog box showing your own certificates If you receive a certificate and store it on your disk, click Import to read the certificate and include it on the list in this dialog box. Windows can read certificates stored in personal certificate files (with the extension .pfx). You can export a certificate and its associated information to a personal certificate file; select the certificate from the list on the Certificates dialog box and click Export.
If you get a certificate in Internet Explorer, you can export it to a file and then import the certificate from that file into any other certificate-capable web browser (like Netscape) or vice versa.