I installed a fresh Windows 7. I wonder why when I visit website using HTTPS, I do not get asked to accept their certificate like shown on this picture:
Asked
Active
Viewed 382 times
2 Answers
3
Because your browser comes with its own set of certificates.
When you install a new version of Windows 7, it comes with Internet Explorer.
Internet Explorer, like any other browser, comes with its own set of certificates that it trusts.
All the web authentication is based on the fact that there are only valid certificates in your browser.
How does authentication with certificate work?
When you access an https link, the server you access send its own certificate.
This certificate is signed using asymmetric cryptography with the private key of a trusted entity.
The certificates that ship with your browser ARE your trusted entities.
So when you receive a new certificate, you ask the trusted entity (certificate)
if they can validate the identity of the certificate you just received.
Here the certificates stored in your browser act like public keys. If one of the public key can verify
the signed certificate, you know that it was issued by the trusted entity that created this public key.
Fun thing
You need to protect the certificates stored in your browser (trusted entity).
If a malicious user can insert its own certificate it could impersonate the
server your are trying to reach and do an attack called man in the middle.
The only thing protecting you against that is the fact that all the trusted entity in your browser are valid.
Here is a good example of how this attack can be done:
How can my employer be a man-in-the-middle when I connect to Gmail?
-
"of certificate" -> "of certificates" – Jul 25 '14 at 19:19
1
Microsoft has a "Microsoft Root Certificate Program" here they check the trustworthiness of a certificate authority (CA). If a CA wants their certificate to be automatically updated with Microsoft they need send Microsoft a test certificate so they can test the root certificate. These certificates are then installed by default and updated as they change.
For more info on the Root Certificate Program read up on this page
BadSkillz
- 4,444
- 25
- 29
-
In this case, all websites certificates rely on CA that are certified by "Microsoft Root Certificate Program" ? If so, then why on some webpages I must accept their certificate before being able to navigate through them? – Jul 25 '14 at 13:01
-
1For the beginning they do, if the root CA is not in the program you will get the "This connection is untrusted" notification. Once you've accepted the certificate for this website and saved the it you will no longer get this notification. Microsoft does not include all root CA's in their program, they have to be proven to be on edge with security e.g. not signing certificates for parties that use it for signing malicious software etc. – BadSkillz Jul 25 '14 at 13:11
-
Ok, thank you. But then I am browsing random websites from different countries using HTTPS: very few of them ask me to accept their SSL certificate: why not all of them ? – Jul 25 '14 at 13:14
-
If you connect to HTTPS you can click on the padlock in front of the url, this will show information about the certificate and who signed it. You can check if they are in the program here: http://social.technet.microsoft.com/wiki/contents/articles/14215.windows-and-windows-phone-8-ssl-root-certificate-program-member-cas.aspx – BadSkillz Jul 25 '14 at 13:22