Compare Revisions
Secure website certificate
Revision 196929:
Revision 196929 by AliceWyman on
Revision 229689:
Revision 229689 by unixfan on
Keywords:
Security viewer
Security viewer
Search results summary:
Websites can present Firefox with a certificate to identify themselves. Find out how Firefox checks the authenticity of the sites you visit.
Websites can present Firefox with a certificate to identify themselves. Find out how Firefox checks the authenticity of the sites you visit.
Content:
A secure website certificate helps Firefox determine whether the site you are visiting is actually the site that it claims to be. This article explains how that works.
__TOC__
=Certificate hierarchy=
When you visit a website whose web address starts with '''https''', your communication with the site is encrypted to help ensure your privacy. Before starting the encrypted communication, the website will present Firefox with a certificate to identify itself.
An https website is only secure to the extent that the website is operated by someone in contact with the person who registered the domain name, and the communication between you and the website is encrypted to prevent eavesdropping. No other surety is implied.
When you visit a secure website, Firefox will validate the website’s certificate by checking that the certificate that signed it is valid, and checking that the certificate that signed the parent certificate is valid and so forth up to a [https://wiki.mozilla.org/CA:UserCertDB root certificate] that is known to be valid. This chain of certificates is called the ''certificate hierarchy''.
<!-- Certificate content section no longer matches the information on the Certificate Viewer page. See discussion on updates for fx71.
=Certificate content=
Secure website certificates contain the following information.
'''Serial Number''': Uniquely identifies the certificate.
'''Subject''': Identifies the certificate owner, such as the name of the organization owning the certificate.
'''Issuer''': Identifies the entity that issued the certificate.
'''Subject Alt Name Extension''': List of website addresses that the certificate can be used to identify.
'''Signature''': Data that verifies that the certificate came from the Issuer.
'''Signature Algorithm''': Algorithm used to create the Signature.
'''Valid-From''': The date the certificate is first valid.
'''Valid-To''': The expiration date.
'''Key-Usage and Extended Key Usage''': Specifies how the certificate may be used, such as for confirming ownership of a website (Web Server Authentication).
'''Public Key''': The public part of the data that comprises the public/private key pair. The public and private keys are mathematically linked, so the data encrypted with the public key can only be decrypted with the corresponding private key.
'''Public Key Algorithm''': Algorithm used to create the Public Key.
'''Fingerprint''': An abbreviated form of the Public Key.
'''Fingerprint Algorithm''': Algorithm used to create the Fingerprint.
-->
=View a certificate=
You can quickly view the certificate details for the website that you are currently viewing, from the [[Firefox Page Info window|Firefox Page Info window]].
{for not fx70}
When you have browsed to a website whose web address starts with '''https''', there will be a lock icon at the beginning of the address bar. Do the following to view a certificate:
# Click the Site Info [[Image:Site Info button]] icon in the address bar.
# Click the right arrow in the [[Site Information panel|Control Center]] drop-down panel.
# In the next panel, which will show who verified the certificate, click the {button More Information} button.
#;[[Image:Fx60SecureSite-MoreInfo]]
# From the {menu Security} tab in the '''Page Info''' window that opens, click the {button View Certificate} button.
#; [[Image:Fx60PageInfo-ViewCertificate]]
{/for}
{for fx70}
When you have browsed to a website whose web address starts with '''https''', there will be a lock icon at the beginning of the address bar. Do the following to view a certificate:
# Click the lock [[Image:Fx70GreyPadlock]] icon in the address bar.
# Click the right arrow in the [[Site Information panel|Site Information]] drop-down panel.
# In the next panel, which will show who verified the certificate, click the {button More Information} button.
#;[[Image:fx71 - View Certificate]]
# From the {menu Security} tab in the '''Page Info''' window that opens, click the {button View Certificate} button.
#; [[Image:Fx70PageInfo-ViewCertificate]]
{/for}
{for not fx71}
The '''Certificate Viewer''' window that opens will display basic information about the certificate, such as issuer, period of validity and fingerprints. The {menu Details} tab will show the certificate hierarchy, certificate fields for the selected certificate on the hierarchy, and field value details for the selected field.
{/for}
{for fx71}
The '''Certificate Viewer''' tab that opens will display detailed information about the certificate, such as issuer, period of validity, fingerprints and more.
[[Image:Fx71-CertificateViewer]]
The Certificate Viewer shows the '''certificate hierarchy''' in column headings, like ''tabs'' inside the page. You can click on each certificate heading to view its listed information.
{/for}
<!-- see discussion
==From Firefox settings==
From the '''Certificates''' section of your Firefox settings, you can view all certificates that have been saved, along with their corresponding details.
# [[Template:optionspreferences]]
# Click {menu Privacy & Security} in the left panel.
# Scroll down to the '''Certificates''' section.
# Click the {button View Certificates…} button.
#;The '''Certificate Manager''' pop-up displays with the {menu Your Certificates} tab selected by default, which contains a list of associated certificates.
# Click a certificate from the list.
# Click the {button View…} button at the bottom of the pop-up.
#; The about:certificate page displays in a new tab with general information about the certificate such as issuer, period of validity and fingerprints.
-->
=Problematic certificates=
When you browse to a website whose web address starts with '''https''' and there is a problem with the secure website certificate, you will see an error page. Some common certificate errors are described in the [[What do the security warning codes mean?]] article.
To view the problematic certificate, follow these steps:
{for not fx66}
# On the '''Your connection is not secure''' warning page, click '''Advanced'''.
# Click the {button Add Exception…} button.
#;{for win}[[Image:Add Cert Exception 44]]{/for}
# When the Add Security Exception dialog appears, click the {button View…} button.
#;The Certificate Viewer dialog displays.
{/for}
{for fx66}
# On the '''Warning: Potential Security Risk Ahead''' page, click '''Advanced'''. (On other error pages, click '''More Information'''.)
#; Technical details about the error display.
#Beneath the Error code, click '''View Certificate'''.
#;The Certificate Viewer dialog displays.
#;[[Image:Fx66ViewCertificate]]
{/for}
=Reporting certificate errors=
Certificate error pages include an option to report the error to Mozilla. Sharing the address and site identification (the secure website certificate) for the site that was untrusted will help Mozilla identify and block malicious sites to keep you better protected.
<!-- see discussion
=Delete Certificates=
You can delete certificates by doing the following:
# [[Template:optionspreferences]]
# Click {menu Privacy & Security} in the left panel.
# Scroll to the '''Certificates''' section.
# Click the {button View Certificates…} button.
#;The '''Certificate Manager''' pop-up displays with the {menu Your Certificates} tab selected by default, which contains a list of associated certificates.
# Click a certificate from the list.
# Click the {button Delete…} button at the bottom of the pop-up.
#; A confirmation pop-up displays.
# Click the {button OK} button.
#;The certificate no longer displays in the {menu Your Certificates} tab.
-->
[https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/ Transport Layer Security] (TLS)
certificates verify the integrity of both the ownership and information of websites you visit. This article
explains how it works.
__TOC__
=What Websites Use Certificates?=
Websites whose addresses start with '''https''' use TLS Certificates. Websites using TLS certificates are secure
only insofar as they verify two things:
* The website administrator owns the website name or knows who does
* The website is encrypting the connection between your browser and itself to prevent eavesdropping
=Chain of Trust=
Browsers, such as Firefox, verify certificates through a hierarchy called a '''chain of trust'''. It defines a
structure for browsers and other programs to verify certificate integrity. This diagram illustrates the chain of
trust:
It's a list of three certificates:
* The root '''(trust anchor)''' certificate
* The intermediate certificate
* The server '''(end entity)''' certificate
Let's define them: the root certificate belongs to the [https://en.wikipedia.org/wiki/Certificate_authority Certificate Authority]
(CA), which issues TLS certificates and the browser inherently trusts; the intermediate certificate acts as an
intermediary between the root CA and the website; the server certificate belongs to the website administrator.
These certificates contain the following information:
* Details about the Certificate Authority (CA)
* An asymmetric key pair
** A private key that cryptographically signs the next certificate in the chain; the server certificate has one for other tasks
** A public key for decrypting the signature of the next certificate in the chain for identity verification; the server certificate uses it for other tasks
Now, we can describe how Firefox determines whether a website is secure.
==How Does Firefox Verify Certificate Integrity?==
Here is how Firefox uses the chain of trust to verify TLS certificates:
# Firefox downloads the certificate of the website you visited
# Firefox checks the certificate against it's internal database of Certificate Authorities (CAs)
#* It uses the public key of the root CA certificate to ensure that the root certificate and intermediate certificate properly signed down the chain
# Firefox checks with the CA to ensure that the website you're connected to matches the website on the server certificate
# Firefox generates a symmetric (single) key for encrypting HTTP traffic for the connection
# Firefox encrypts the symmetric key with the public key of the server certificate
# The private key, which is on the web server, decrypts the connection data
=Viewing a Certificate=
To view a certificate, follow these steps:
# Click on the pad lock icon
# Click on {button Connection secure}
# Click on {button More Information}
# In the pop-up window, click {button View Certificate}
Firefox will now open the '''about:certificate''' page with the certificate for the website you're on. The
three tabs show, from left to right, the server certificate, the intermediate certificate, and the root
certificate.
=Certificate content=
TLS certificates contain the following information:
* '''Subject''': Contains the website name and optional attributes, such as information about the organization owning the certificate.
* '''Issuer''': Identifies the entity that issued the certificate
* '''Validity''': Shows how long the certificate is valid for
* '''Subject Alt Name Extension''': Lists the website addresses that the certificate is valid for
* '''Public Key Info''': Lists attributes of the public key of the certificate
* '''Serial Number''': Uniquely identifies the certificate
* '''Signature Algorithm''': Algorithm used to create the Signature
* '''Fingerprints''': Hash of the certificate file in [https://wiki.openssl.org/index.php/DER DER] binary format
* '''Key-Usage and Extended Key Usage''': Specifies how people can use the certificate, such as for confirming ownership of a website (Web Server Authentication)
* '''Subject Key ID''': An identifier generated from the TLS certificate's public key as a way to identify the certificate
* '''Authority Key ID''': An identifier generated from the TLS certificate's public key as a way to identify the public key corresponding to the private key used to sign the certificate
* '''CRL Endpoints''': The locations of the [https://csrc.nist.gov/glossary/term/certificate_revocation_list Certificate Revocation List] (CRL) of the issuing CA
* '''Authority Info''': Contains the validation method for the certificate authority and the intermediate certificate file
* '''Certificate Validation''': Contains the certificate validation type and a link to the CA's [https://csrc.nist.gov/glossary/term/certification_practice_statement Certification Practices Statement] (CPS)
* '''Embedded SCTs''': Lists the [https://www.globalsign.com/en/blog/what-is-certificate-transparency Signed Certificate Timestamps] (SCTs)
=Problematic certificates=
When you browse to a website whose web address starts with '''https''' and there is a problem with the secure website certificate, you will see an error page. Some common certificate errors are described in the [[What do the security warning codes mean?]] article.
To view the problematic certificate, follow these steps:
{for not fx66}
# On the '''Your connection is not secure''' warning page, click '''Advanced'''.
# Click the {button Add Exception…} button.
#;{for win}[[Image:Add Cert Exception 44]]{/for}
# When the Add Security Exception dialog appears, click the {button View…} button.
#;The Certificate Viewer dialog displays.
{/for}
{for fx66}
# On the '''Warning: Potential Security Risk Ahead''' page, click '''Advanced'''. (On other error pages, click '''More Information'''.)
#; Technical details about the error display.
#Beneath the Error code, click '''View Certificate'''.
#;The Certificate Viewer dialog displays.
#;[[Image:Fx66ViewCertificate]]
{/for}
=Reporting certificate errors=
Certificate error pages include an option to report the error to Mozilla. Sharing the address and site identification (the secure website certificate) for the site that was untrusted will help Mozilla identify and block malicious sites to keep you better protected.
<!-- see discussion
=Delete Certificates=
You can delete certificates by doing the following:
# [[Template:optionspreferences]]
# Click {menu Privacy & Security} in the left panel.
# Scroll to the '''Certificates''' section.
# Click the {button View Certificates…} button.
#;The '''Certificate Manager''' pop-up displays with the {menu Your Certificates} tab selected by default, which contains a list of associated certificates.
# Click a certificate from the list.
# Click the {button Delete…} button at the bottom of the pop-up.
#; A confirmation pop-up displays.
# Click the {button OK} button.
#;The certificate no longer displays in the {menu Your Certificates} tab.
-->