Dealing with Untrusted Secure Sites

This document has these sections:

1. Background Information
2. Trusting UW Services CA
3. Trusting a Site
4. Troubleshooting

Background Information

When a web address starts with https: instead of http:, it's using SSL– the secure sockets layer (or successor protocol TLS). That means two things:

1. traffic between the site and your browser is encrypted
2. the site has taken steps to certify its identity

It's all done using a certificate– a special file on the web server, presented to visiting web browsers, that contains a little bit of data about who it claims to be and why we should beleive it.

The "why we should beleive it" part is based upon a chain of trust. In essence, we trust the web server because somebody else that we have agreed to trust– a certificate authority (CA)– certifies that the web server is who they say they are. They do that by signing the certificate.

You may now know it, but when you installed your browser, you agreed to trust all sorts of folks. Each browser ships with a preinstalled set of dozens of root certificates issued by commercial certificate authorities. They are root certificates because they are at the top of the chain of trust. You trust them because the browser maker trusts them.

The chain of trust works this way: if you are on record as trusting the outfit that signed the certificate that is presented by a web server, you silently trust the web server, too. If you aren't on record as trusting the signer, you don't trust the web server, either. Loudly.

Follow the Money

You can probably guess why certificate authorities sign certificates: for the money. They charge hundreds of dollars to sign a certificate, which expires after a year or two. And then they charge a few hundred dollars to sign a new one. It's a great business model: they make a few calls, maybe check around a little, sign your certificate, then head to the bank with a big bag o' money. Fortunes have been made.

You can guess, too, why educational institutions don't like to play this game.

Enter UW Services Certificate Authority

Since it's so expensive to buy web server certificates, and since it's so easy to trust an additional certificate authority, many large organizations create their own certificate authorities for internal uses. The University of Washington is no exception. The fine folks at UW Technology have created the UW Services CA for this purpose. And academic units all over campus have deployed web services that use certificates signed by that CA.

There are actually two ways to go on record as trusting a certificate authority: by installing the browser with all the root certificates it includes, and by adding additional root certificates after installation.(You can remove them, too– when you remove a root certificate, you remove your trust of all the certificates it signed.) Adding a root certificate can be as simple as visting a web page and clicking through a few dialog boxes.

Trusting UW Services CA

If you are reading this page, it's probably because you tried to visit an HTTPS web site that is certified by UW Services CA, but you don't have their root certificate installed in your browser. You saw a scary but arcane warning, so you contacted the web site administrator. And they sent you here. We can help you with that.

UW Technology has created a web page to marshall the process of installing their root certificate. Find it at this address: https://www.washington.edu/computing/ca/ . That's an HTTPS web address, but you won't get a warning because UW Technology paid hundreds of dollars to a commercial CA to get this one certificate signed.

To trust UW Services CA, follow the procedure below.

Installing the Root Certificate

1. Browse to https://www.washington.edu/computing/ca/ .

2. Click on the Install the UW Services CA Certficate Now! button. If you get an alert to the effect that "This certificate is already installed as a certificate authority," your browser already has the root certificate for UW Services CA, and you are good to go. Unless you encounter this rare and obscure problem.

3. You should see a dialog box pop up like the one at right (Firefox 3). Check all the boxes and press "OK."

The details differ slightly for other browsers, but the prinicples are the same. You are done.

Trusting a Site

You don't need to install and trust a root certificate to use a site that uses a certificate signed by a CA that you haven't agreed to trust. Instead, you can choose to trust just that site. And you can trust it for just the current session or indefinitely.

Trusting for the session is expedient if you don't expect to visit the site again, or frequently, or if you are on a machine that you don't control.

Trusting a site indefinitely is useful if you don't want to take the time to hunt down the associated root certificate or if the certificate is self-signed– in which case there is no assocated root certificate.

Here's how to do it in Firefox 3. For Internet Explorer 7, click here. For Opera 9.6, click here.

1. At right is the warning that Firefox 3 displays when it encounters a certificate for which it cannot complete the chain of trust. Pretty scary, right? What we want to do is add an exception to the policy that says that we shall not visit web sites for which the chain of trust is not complete, so click on "Or you can configure an exception...".

2. Before you can trust the site, you must fetch the certificate. Click on the "Get the certificate" button.

3. You can look at the details of the certificate by clicking on the "View the certificate" button, but that's optional. Decide whether you want to trust the site for the session or indefinitely, then clear the "permanently store this exception" checkbox for the former or set it for the latter. Click on "Confirm Security Exception."

You are done.

Adding a Certificate to Internet Explorer 7

Of course, the procedure in Internet Explorer 7 is entirely different.

1. At right, the message that Internet Explorer 7 displays when it encounters an issue with a certificate. Click on "continue to this website (not recommended)." That's right: I'm recommending it.

2. When you get there the location bar is a scary bright red color, and the rightmost portion reads "Certificate Error." Click on that.

3. There's your problem in Redmondspeak: "the certificate cannot be verified up to a trusted certification authority." Click on "Install certificate."

4. If your stomach starts to turn when you see messages like "Welcome to the certificate import wizard," I have good news for you: you can just acccept all the defaults. Three more clicks and you are home free.

Adding a Certificate to Opera 9.6

Opera– which is a pretty secure and capable if unpopular browser choice– does an outstanding job of explaining what the issue is and how to fix it.

1. At right, the message that Opera 9.6 displays when a certificate with an incomplete chain of trust is encountered. Click on "Security."

2. Check the "Remember my choice for this certificate" box and then click on "Approve."

Done.

Troubleshooting

Currently, there is only one problem that we tell you how to solve, and that only affects users of Firefox 3.

Firefox 3: The "Already Installed" Problem

Some Firefox users have reported that they get an "unrecognized certificate authority" warning when they visit a site that is certified by UW Service CA even when the root certificate is installed. Very frustrating. The only fix we know is to (1) remove the root certificate and then (2) reinstall the root certificate.

Removing the Root Certificate

Removing a root certificate is performed using a series of dialog boxes built into the browser.

Here's how to do it with Firefox:

1. Select "Options" from the "Tools" menu.

2. Select "Advanced," "Encryption," and "View Certificates."

3. Select "Authorities," then scroll down to locate "UW Services CA." Select it, then press "Delete." Confirm the action.