When you go to a website and the address says https instead of http or you see a little lock button in the address bar, it means the data being transmitted back and forth is encrypted. Any other computer along the way on the internet cannot read the contents of the transmissions. However, sometimes you get a warning about visiting an encrypted site that says your identity is being phished or that you cannot trust the connection. I’m going to explain what that means and when you should bypass the warning anyway and when you should not.
First, encrypted communication works as follows. There are key pairs known as public keys and private keys. Public keys can encrypt data, but only the matching private keys can decrypt the data. Your computer and a web server will both openly exchange public keys (in the form of “certificates”) with each other and use them to encrypt messages. The private keys remain on the original machine, never transmitted over the internet. That way, the only machine that can decrypt a message is the one whose public key was used to encrypt it.
(By the way, you’ll notice in the picture of my certificate that it uses the same sha256 hashing algorithm that I mention in my post on Dropbox hashing.)
A problem arises with verifying the identity of another server. Sometimes when you initiate a connection to a server, you will see a message saying that the server’s certificate is unfamiliar or unknown. It asks you to confirm to the program that you’re really talking directly to the server you think you’re talking to. A hacker could theoretically be intercepting traffic to and from your computer and presenting you with his certificate so that he can decrypt the data (such as your password) you intended to send to the server. This could be a risk if you connect to “FreeAirportWiFi” or “linksys” or some other hostile network designed to steal your data. Luckily, there is a way to check who you’re really communicating with.
The internet verifies identities by using trusted “certificate authorities”. Your browser comes installed with public key certificates for known entities such as Google, Microsoft, Apple or Symantec. This means that you can send messages intended for Google that you know only Google can decrypt. Certificate authorities maintain lists of domain names and their associated certificates. When I registered charvak.com with a certificate authority, they validated my identity using a credit card and validated my ownership of the domain with some test emails. This process is called “signing” the certificate.
When initiating a secure connection with a site such as Facebook, the site you think is Facebook sends your browser a certificate to encrypt data, but you can’t yet be sure that it’s not a forged certificate from an intercepting hacker. So you encrypt that certificate with your existing public key for Google and send it to Google for validation. Google checks if it’s the correct certificate for facebook.com and sends you a message letting you know whether it is. If it’s not, you know you’re not talking to the right server. That’s when you should be worried about your password being phished.
Sometimes, you connect to a friend’s computer securely, but its certificate isn’t signed by a trusted authority so you cannot know it’s really the right computer. For example, https://beta.synology.me:5001/webman/index.cgi I actually don’t know who that is, I just guessed an address. If it were a friend of mine, I would have to trust or hope that I’m communicating with the correct site. Chances are, nobody is going to expend the effort to impersonate that site and attempt to hack it. And all the transmissions are still encrypted, so no packet sniffer that’s scanning everything for passwords will be able to see them and enable its operator to hack the site. Also, note that the example site above ought to disable this page http://beta.synology.me:5000/webman/index.cgi because it’s not encrypted (not https). Any users who attempt to log in that way expose the server to being compromised if a malicious computer along the way picks up the password. And there are lots of malicious computers out there considering that any open ports start getting perpetual hack attempts from China, Brazil or Russia.
You can see that every few hours, someone tries to hack my server. It’s set to block access from the IP address after a few failed login attempts, so they cannot try very many passwords. The hackers rely on botnets to be able to keep trying from different IP addresses, but I think they’re realizing that it’s not fruitful to target my machine because it quickly blocks the IP addresses and the password must be secure.
Knowing what you know now, it’s a lot easier to understand what’s written in this warning from Microsoft.