Checking Root Certificate Authorities

On the page Checking that a Site is Secure I covered how to look up the certificate attached to a secure web page. This certificate was issued by a "trusted" authority but how can we determine which authorities to trust?

Well, each web browser is supplied with a list of those issuing authorities that are considered to be trusted sources by the company that created the browser. Obviously the browser company staff must have done some work to determine which certificate issuing authorities should be in the trusted list but each browser has different entries in the list. You will have to make up your own mind which ones to trust.

To check the trusted issuing authorities list in Internet Explorer go to Internet Options from the Tools menu and select the Content tab. Select the button from this page labelled Certificates... and then select the Trusted Root Certificate Authorities tab to access the list of issuing authorities that Internet Explorer trusts.

To check the trusted issuing authorities list in Netscape go to Preferences in the Edit menu and then select the privacy & Security tab then the Certificates tab. Next select Manage Certificates and then select the Authorities tab to access the list of issuing authorities that Netscape trusts.

To check the trusted issuing authorities list in Opera go to preferences in the File menu and select the Security tab. Now select the Authorities button to obtain a list of issuing authorities Opera trusts.

As mentioned before each of these lists is different. In fact there are only three entries that appeared on all three lists when I checked them. These are

Another way to check on whether or not you ought to trust a particular issuing authority as guaranteeing the identity of the owners of the sites to whom they issue certificates is to go to the web site of an issuing authority that you do trust and search their site for references to the authority that you are investigating. In some cases you will be able to find references that the authority that you already trust guarantees the validity of certificates issued by another authority.

In any case you have to start somewhere by trusting someone to provide you with believable information before you go entering your credit card details into a web page. Certificates tell you who the owner of the secure page is and who issued the certificate that identifies them as such. In the final instance it is up to you which issuing authorities you decide to trust to identify the site owners that you are prepared to deal with.

This information is provided to assist you in determining how secure payments that you wish to make over the internet may be. Felgall Pty Ltd and its staff accept no responsibility for the results of any actions that you may take based on the information provided on this page.

 

This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow
Donate