An SSL Digital Certificate is a digital representation of information that a Web site purchases from a trusted third party Certificate Authority, which verifies and communicates the identity of the site, validity period of the site's certificate, the site's public key (for encryption and decryption purposes), and the Certificate Authorities identity.

An SSL Digital Certificate allows someone browsing to a site to know that they are directly talking with that site and that all information being passed between that site and their computer is encrypted and safe from anyone else seeing it.

NOTE: Although a valid SSL Digital Certificate verifies company information and data integrity, it does not mean that a company is "good" or that it will deliver goods and/or services as expected. As always, this is an area that the consumer must research and assume responsibility for.

When a Web site purchases and installs an SSL Digital Certificate, it then has the capability to serve pages over SSL. From a users standpoint, this simply means that they have followed a link to a site name using the form https://www.sitename.com rather than http://www.sitename.com (notice the "s" in the first "https://...") There is not a great deal of extra work for the user, but what happens in the background is significantly more complex and helps to ensure the confidentiality of information passed between the user and the site. The user is often notified of the use of SSL on a site by the tell-tale padlock that shows up in their browser tool bar (this varies from browser to browser). This padlock can be opened (usually by a double-click) to see details about the certificate that the site is using to communicate with the user.

EXAMPLE

Let's walk through this and explain exactly what happens when you visit an SSL secured site and enter your credentials:

1. I am going to check my bank account for the balance using their online Web service. My bank account's URL is  http://www.mybank.com. I open a Web browser and type in my banks URL. At this point, it opens my bank's Web site and is still just using the http:// protocol, so all the information I have exchanged with the site up to this point is unprotected and available for the less-than-scrupulous to gather and look at.
    
2. Once on their site, I click on the hyperlink on their homepage to enter the area where I can input my username and password to login to my account. This hyperlink is https://www.mybank.com/accounts, and since the URL includes the https:// protocol, as soon as I click it, a couple of things happen:
   
   The Web browser I am using and the server both notice that the protocol has changed from http:// to https://; the server tells my browser "this is who I am" and provides a special digital signature for my browser to use to check on a couple of key pieces of information:
   

   Is the server that I am talking to actually www.mybank.com?

   Has the certificate for www.mybank.com expired?

   Does my browser trust the Certificate Authority that issued the certificate to the www.mybank.com site?

   Once everything checks out, my browser and the site exchange "keys" that allow us to talk back and forth in an encrypted manner to ensure that the site, in that session, is the only thing that can read the information we pass back and forth.
    
3. I now enter my username and password and check my bank balance knowing that information that I enter and that the site sends back to me is only viewable by me at that specific time.

You are at risk anytime you enter any secure information or credentials online without the use of SSL.

When using SSL, you are at risk during the initial check when your browser is verifying the sites information, which is the critical step. If your browser receives any information that does not match what it is expecting, you get a pop-up that explains that there was a problem and attempts to tell you what the problem was. These problems fall into one of three categories:

1. The server name that I am talking to does not match what its certificate says it is supposed to be:
   
   This can mean that you entered a shortened URL such as https://uwmail rather than entering the full name of the site, https://uwmail.uwyo.edu, which is what was used to get the original certificate.
   
   This can also mean that you entered an alias for the site name, which may be used to make the name more easy to remember. Examples include entering https://exchange.uwyo.edu, which is an alias for the actual site name of https://uwmail.uwyo.edu.
    
2. The certificate that it sent has expired:
   
   This indicates that the company did not renew the certificate for the site. Certificates are issued in various blocks of time and must be renewed periodically.
    
3. The browser does not consider the Certificate Authority that issued the certificate to the site a "trusted" authority:
   
   This indicates that the browser does not recognize the Certificate Authority (CA), and thus it tells the user about the problem. The issue with this problem is that issuing certificates is something that literally anyone can do. Thus, you must put considerable thought and research into whether or not you should allow your browser to trust the specific CA or not. There are many large commercial Certificate Authorities that back up their certificates in various ways to show that they are reputable and honest companies and that they can be trusted. These companies are often added to browsers automatically by the bigger companies so that their certificates are trusted automatically. This is why entities usually choose to purchase certificates when they have public sites that need SSL; otherwise, when you hit an SSL page on their site you would get this error message and it would be up to you to determine if the company is reputable and honest.
   
   IMPORTANT: This particular error may also have a more sinister cause. In some cases, it is possible for a less-than-scrupulous individual that is connected to the same network as you to load software that acts as a middle-man between you and your gateway to the Internet. This is very hard to detect and, if you as the user are not careful and security conscious, an easy way to potentially get accounts and passwords that you enter into online sites, even those secured with SSL (if you choose to trust their CA and enter the site). The Certificate Authority signature cannot be faked, so if someone is hacking your network traffic, you will get a warning such as this one when the hacker attempts to fake the certificate.

These errors can have a lot of meanings and implications. It is imperative that you as the user are very conscious of your actions online and do not disregard warning messages. The bottom line is that if you get any error messages when accessing an SSL site or page, it is best to cancel that session and not enter any confidential information. Call the company and verify that their pages are up and running, and talk to them about the error before utilizing their online services. Also, any time you are prompted for credentials, you should always ensure that the page is using SSL by looking for the tell-tale padlock. Sometimes companies write SSL Web pages that are embedded within other non-SSL pages and you do not see the padlock. In these instances, it is best to call the company and verify that the pages are using SSL prior to entering anything confidential. It is always better to be safe than sorry.

There are a couple of ways to get a certificate that allows for an SSL connection to be made to the Web servers. One way is to pay for a certificate from a nationally recognized vendor who has paid to be included by default in many of today's most popular Web browsers. When this is done, most of the time you never see a message about "trusting" that authority. This vendor issues a certificate from what is called a Certificate Authority, and if anyone ever wants to check the validity of a certificate, it is tracked back to a Certificate Authority for validation.

To save costs, UW runs our own Certificate Authority here on campus for all development servers that require SSL on them. Under normal circumstances, we push the "trusting" of our certificate authority out to all computers that belong to the UWYO domain. Therefore, these computers will not see any messages. When a person is prompted with this information when on campus, the person probably tried to come in from a system that was not a member of the UWYO domain (one from another domain that doesn't trust UWYO or a personal computer). In this case, since the Web browser they are using does not automatically recognize the UW certificate authority (named UWYOCERTAUTH.UWYO.EDU), the browser stops and says "Hey, I don't know this certificate issuer, do you want to trust them?" In most cases, the user wants to be wary when they see this message; however, in this case, since it is a legitimate server, they are okay to go ahead and trust it. The user can also choose to always trust that authority; this will discontinue the prompts about not recognizing UWYOCERTAUTH, which is used on a number of development servers around campus.