After reading an article about a Digital Certificate Signing Authority “DigiNotar” that got hacked by Iran and issued 530 bad certificates http://nakedsecurity.sophos.com/2011/09/05/operation-black-tulip-fox-its-report-on-the-diginotar-breach/; I started to realize just how rusty I’ve become on Internet Security. I went to school in 2008-2010 for my Masters in Digital Forensics & I was starting to forget the differnence between Digital Certificates and HTTPS? These are the basics a Web Master should know & as a Web Designer/Developer I should understand these.
So are Digital Certificates & Secure Socket Layers or Transfer Layer Security the same? No, not quite. They can be used in conjunction with each other to provide better security but are very different. First of all, http uses port 80, where as https uses port 443. https:// transmits http:// to an encrypted system between the client and server. It uses either Transport Layer Security (TLS) or Secure Sockets Layer (SSL) to encode the data being exchanged between the client and the server.
Now for Digital Certificates, they used a Signing Authority or Certified Authority and are issued for a time frame of one to two years and must be renewed after they expire. They verify that the user is who they claim to be. The user sends a message and provides the receiver a means to encode a reply. A digital certificate is issued with an applicants public key. Then when you get an encrypted message you use the Certificate Authority’s public key to decode the message. Private information can then be read such a military information, financial records, etc.
The Certified Agencies are also required to get annual audits. So what happened with DigiNotar? The main agencies are Verisign (Thawte & GeoTrust [Equifax]) 48% of market, GoDaddy and Comodo.
Digital Certificates versus HTTPS
DigiNotar (wikipedia) Fraud Update
Basically DigiNotar admitted dozens of fraudulent certificates had been created for the domains of Yahoo, Mozilla & WordPress by Turkish & Iranian hackers since 2009. What irk’s me more than anything is this message they left in the code taunting Americans.
“THERE IS NO ANY HARDWARE OR SOFTWARE IN THIS WORLD EXISTS WHICH COULD STOP MY HEAVY ATTACKS MY BRAIN OR MY SKILLS OR MY WILL OR MY EXPERTISE”
This just proves that you always have to stay one step ahead of hackers & that you are never totally secure no matter what you think.
On a side not, my teacher advised us to look into the article about Stuxnet. It was about a computer worm discovered in July of 2010 that targeted Siemens industrial software. This article is fascinating. Take a look: http://en.wikipedia.org/wiki/Stuxnet. There is operations going on behind the scenes that are very scary. They think that maybe a US hacker created this little destroyer.