Cryptography Reference
In-Depth Information
Figure 7-7:
New trusted certification authority
This clears up the fi rst error that the certifi cate was issued by an untrusted
certifi cate authority (it was issued by itself, actually). The browser still complains
that the certifi cate was issued for a different website's address. You should
understand by now that this means that the browser is connecting to localhost,
but the certifi cate's subject has a CN of Joshua Davies. There's nothing stopping
you, of course, from issuing a new certifi cate whose CN fi eld is localhost, which
makes this error disappear as well. As long as the certifi cate is signed by a trusted
authority, the browser accepts anything that matches. If you click Continue to
This Website, however, your browser remembers that you trust this certifi cate
and automatically connects to it the next time you request it. IE 8 at least has the
sense to display a red URL bar and provide a Certifi cate Error popup.
Watch the server and keep track of how an untrusted certifi cate error is handled.
The client goes ahead and completes the handshake, but then immediately shuts
down the connection. It then displays an error message to the user. If the user
clicks through, it begins an entirely new SSL session, but this time with a security
exception indicating that this site is to be trusted even if something looks wrong.
The only other common error message you might come across is “This site's
certifi cate has expired.” Of the error messages you might see, this one is probably
the most benign, although it's certainly a headache for a server administrator
because most TLS implementations give you no warning when a certifi cate is
close to expiration. One day your site is working just fi ne; the next day the traffi c
has dropped to practically zero because your customers are being presented with
a scary error message and bailing out. If you don't keep close track of logged
error messages, you might have to spend some time investigating before you
realize you've had yet another certifi cate expire.
Search WWH ::
Custom Search