Consider a situation in which you want to log in to your bank’s website and transfer some money. You open a web browser, type in the URL of your bank (or use a browser bookmark), and then log in to the bank. But how do you know that it is really your bank?
It is possible that your browser has been directed to a website that isn’t your bank. This redirection might have been done by an individual or group that is trying to steal your login information to gain access to your bank account. You might even have seen this attempt in action. Figure 10.2 shows a message that your web browser will display if it appears that the server you are trying to connect to really isn’t the correct server.
FIGURE 10.2 Invalid certificate warning
This discussion brings up another question: how does your web browser know that you are potentially communicating with a rogue server? The answer is by its certificate.
When you communicate using the HTTPS protocol (note that this does not apply to HTTP; the S must be in the URL), your browser knows that it must verify the validity of the web server’s certificate. It does this by querying a certificate authority (CA), which is a trusted third-party organization that can look at a web server’s certificate and verify that it is really the correct web server. You can look at your browser’s settings and see a list of the CAs that your browser uses, as shown in Figure 10.3.
FIGURE 10.3 List of CAs on a Google Chrome Browser
Note that these certificates are also commonly called SSL/TLS certificates in context to HTTP services and functions, and they are based on the public key infrastructure (PKI).
PKI is a standard that defines how digital certificates are created, revoked, managed, stored, used, and distributed. It utilizes a pair of cryptographic keys (public and private), which not only allows the creation and verification of certificates but also provides a way to encrypt the data that is transported between the client and the server.
For the certification exam, you don’t need to know all of the details of PKI, but you do need to know some key terms:
Digital certificate: A unique value that contains a collection of data that is used to identify an entity (that is, a server). For example, think of certificates in your browser store.
CA: Certificate authority; an entity that validates, signs, and issues the digital certificates. For example, Verisign CA and GeoTrust CA are public CAs. Note that AWS provides a tool called AWS Certificate Manager that can manage both public and private certificates.
Public key: A unique cryptographic key that is publicly shared. Data encrypted by the public key can be decrypted only by the corresponding private key.
Private key: A unique cryptographic key that is never shared. It is used to decrypt data that was encrypted by the corresponding public key.
CRL: Certificate revocation list; a list that defines the certificates that the CA no longer considers valid. For example, a certificate that was deemed to be no longer secure but is valid can be declared as void in the CRL.
CSR: Certificate signing request; a request to a CA to generate a digital certificate. The CSR must contain specific information, including the public key for the organization, and must be “signed,” a process verifying that the organization making the CSR possessed the private key.