I recently installed the Light (a more compact forking of Firefox). I started ge
ID: 658012 • Letter: I
Question
I recently installed the Light (a more compact forking of Firefox).
I started getting the "This Connection is Untrusted" error, which got me wondering: when should I add an exception to the list of trusted certificates? Yes, this gets at the issue of trust, and that is an enormous problem in itself. But let us suppose that I felt comfortable trusting the certificates that came bundled in my browser (whether it be Firefox, Light, or IE)
In my case, the error is (Error code: sec_error_unknown_issuer). It must be that Light doesn't have the full list of trusted authorities that the full Firefox does.
I can see the certificate in question, and I can see the name of the issuer of the certificate (in my case, Starfield Secure Certificate Authority - G2). And yes, if I go to the big Firefox list of trusted certificates, I can see similar names there (Starfield Services Root Certificate Authority - G2, and Starfield Root Certificate Authority - G2), although not an exact match.
But I imagine that is not enough: it is not an exact match. But let us go further: let us assume that the name of the issuer were a perfect a match. Presumably, if a website is trying to steal my information, or run malicious code in my browser, it will be smart enough to fake the name of a trusted certificate provider. What is it in the certificate itself that I must verify to make sure that the certificate that I am being presented is authentic, and there is not some bozo somewhere faking a trusted certificate? And, is there a way to get that authentic certificate from the horse's mouth, so to speak, instead of from the webpage I am currently trying to browse?
Explanation / Answer
The question is, assuming you've decided which CA's (Certificate Authorities) to trust, how do you get their certs. If you trust "Starfield Services Root Certificate Authority - G2" and you want to know if you should trust the hypothetical ""Starfield Services Root Certificate Authority - G3" (for example), you do have to "get it from the horse's mouth" as you put it.
There are a few options... Easiest is, if Starfield helpfully "bootstrapped" their own trust for you. If "Starfield (trusted) CA" signed the "Starfield (new) CA" cert, then you could trust it is authentic.
If not, then you need to get the public key from Starfield in some way that makes you confident it is really theirs, then use that to verify the signature/fingerprint on the new CA cert they've issued.
From a practical standpoint, if you trust some browser to have done the legwork for you, you can grab the trusted CA cert from its truststore.
Ultimately, you choose which CA's to trust in their job of asserting other websites' legitimacy. You make that choice by your choice of CA certs in your truststore, or you let your chosen browser make that choice for you. If SuspiciousWebsite(tm) presents you with something signed by LegitimateSoundingCAYouDontHave, that's when you need to decide if you trust that CA or not. I'd never accept an unknown CA cert offered up to me by some website. Either get the root cert from some other browser's truststore, or directly from the CA entity itself.
Once you've accepted a CA cert, you trust anything that cert signs. If you let a badguy's fake CA cert in, that bad guy can trivially spoof your bank or any other site.