Introduction to SSL/TLS - Visiting Legitimate & Safe Websites

Hello , It is nice to see you again and I'd like to welcome you to my second post on the series of cyberSecurity .

If however you're visiting this post directly & not from a technical IT background , I'd recommend you to visit my earlier post on the following link to understand this article in better way.

http://avijitonthemove.blogspot.com/2017/07/security-of-present-challenges-for.html

Unlike the last post , this post is for people having little bit of technical understanding. But don't loose hope if you're not from IT domain. Because I'm going to write this in as simple terms as possible to understand. But I can assure you , after reading this blog , you'll find yourself much satisfied knowing some technical bits of how to identify a legitimate website be it your Social Websites (Facebook/Twitter etc) or be it your banking website .

We have lots of things to cover , so lets not waste any more time and jump into the main content.

FIrst of all , I'd like you to see the video as below to understand how easy it is to trick anyone to get into a fraud website & eventually leaking credential/passwords. Hope you'd like it.(View in full screen to understand better in HD)

We've already discussed how threats are emerging & we'll continue to discuss further as well , but at this moment I want you to understand security of websites.

As an user , as much concern you are to land into a legitimate website , same concern is for the service provider or companies who are hosting this website . The reason is for your concern of getting into a fraud website is just a fear of leaking personal information , but for service providers, it's their source of income & reputation which are being hampered.

So, most of the large & medium size organization who provide services online depends on something called as Certificate , rather Digital Certificate .

So what is a certificate , in a layman's terms its like your passport/identity card which is uniquely defines you & so for a website it's Digital Certificate ensures to the users , that they are visiting to the trusted & legitimate website.

Now the question may come , if it is the thing , then why can't a hacker would create a Digital certificate by themself  & put on their fake website , that'd solve their problem isn't it?

Answer is yes they can , but even if they can do that , it won't be a trusted website & you can easily identify that .  Let's first discuss how you can identify & then we'll break down the technical bits of the whole process step by step.

Let me post here 3 picture of 3 different type of website first.

Neither Secure & Nor Trusted

Secure & trusted

Secure & non-trusted

As you can see in the image & in the associated caption , there is two important words mentioned differently for the 3 websites. Words are Secure & Trust .

So a valid digital certificate for a website provide two important feature .

Secure , meaning the information exchange between your browser/device & website is encrypted , meaning if anyone else also get the exchange by some mean , he won't be able to read/understand the information , thus provides security of the information being exchanged.

Trust , meaning as already discussed  it gives you assurance & increase your trust level to visit the website.

The feature/benefit for using a digital certificates are not limited to these 2 only . There are more but those we'll discuss slowly in subsequent section , with more technical details we'll dive into.

Though in internet not all websites are protected using Digital certificates , but make sure the one you're using/visiting for keeping Personal/Private information & for your banking or financial related purpose such as Banking website , Insurance Websites , Social Media website such as Facebook/twitter/LinkedIn/Instagram/Google+ etc are the second category  as shown in the above image. This should reduce the threat of using fraud/fake website.

Now lets get into a little bit technical .

Let's discuss how it works . The primary concept behind this Secure & Trusted communication is called as SSL/TLS (Secure Socket Layer /Transport Security Layer ) . Let's forget this difficult terms for now and lets call it SSL as SIMPLE SECURITY LAYER.

so what happens in real world , the companies/service providers when publishing their website , requests for a Digital Certificate from a Trusted Certificate Authority . It's same like you're getting your passport/identity card from a Trusted Authority which is Govt here.

Similarly in Cyber World , there are many CA (Certificate/Certified Authority) who provides you/company the Digital certificate upon request. But to get such Digital Certificate you need submit KYC documents such as for personal certificate your Passport, identity card , Address details & many other documents and for companies they need to submit their valid company documents, trade license certificate, RC Copy , Tax Returns , Bank Statements etc . So that when this CA issues a certificate & if the certificate is being used for any malicious activity , they can get hold of the person/entity .

Hence it is primarily their(CA) responsibility to maintain the trust chain within the Internet . If their responsibility is so important , then it has to be make sure that only valid organisations are provided authority to issue certificates right ? so who does that .

Globally we have many Security Councils , who have seat together & decided to split the tasks of

administering this Nation wise. And each Nation should have a valid CCA (Controller of Certificate Authority) . For example in India , we have CCA which is under Ministry of Electronics & Information Technology of Govt of India , who regulates & provides license to the Certifying Authorities in India .


Now you can understand why an attacker can not get a trusted certificate for his fraud/fake website from a valid CA , as that may disclose his anonymity . which hacker would want that ? 😄😤

But an attacker can try to create a certificate by their own & put it in their website , if that happens the communication between you & the fraud website becomes secure but not trusted and then you'll see error similar to what is shown on the third image (Out of the 3 image posted above) . Hence, again you should not visit important website having such error in the address bar of your browser.

Now lets understand , how your browser detects that the certificate presented by any Website is trusted or not .
Whenever your browser is installed in your Computer or Mobile , it comes with Valid Certificate Authority & updates the Trusted Authority Store in your computer or in your Mobile. To see the store in your Windows Computer . Open Internet Explorer → Then click on the GEARBOX Icon(or Tools option) → Internet Options → Then go to Content Tab →  click on Certificates.
This should show two tabs of CA (Intermediate CA & Root CA) .


We'll discuss later blogpost to understand what is Intermediate & Root CA , for now lets understand that these are CA which are trusted globally so companies who created your browsers ,packaged this CA's to be installed in your System .

On Mobile you can see the list of Certifying Authority in the Setting → Security → Trusted Credentials option. Those are the list of CA which your mobile trusts .

Here below is the steps of activity performed at very high level when you are trying to access any website ↴

1> You hit the URL in your browser . Lets say (https://www.avijitonthemove.blogspot.com)

2> Website sends the certificate to your browser .
3> Browser sees who has issued the certificate .
4> Then Browser/System checks if the issuer is in the Trust Store of your Windows/Mobile as it came with the installation of your browser.

5> If it is then it displays the website as Secure & trusted (in Green- as shown earlier second image)
6> Otherwise it'll display similar like the third image (Secure & non-trusted)


















As they say , Hacker will always evolve & try to expose the security loopholes. So now an attacker knows how to show his fraud website looks to be legitimate as well , even though he does not get his fake website certificate from a valid CA(Certifying Authority) . How ?

He just somehow needs to push his website certificate into this Trusted Store/Trusted Credential of your system or your mobile . For that he may use thousand Social Engineering technique .

Also he can push that via legitimate program through torrent sites. You'll download content or program from torrent and run it and unknowingly the fraud website certificate will be added into the trusted Store and then your browser will not be able to detect that it's not a trusted website. Easy isn't it?

So, how to get away from that or how to be safe from this.
Again the same steps as I've mentioned on the my first blog .
1> Avoid downloading any content from Torrent
2> Avoid using/downloading freeware from websites which are full of advertisements & by look a fraud websites.

But that's just a prevention there must be some solution as well right ?
The solution is , download & use latest browser & updated browser . Remember why I've asked in my first blog-post to install all necessary software updates as pops up from Android Play Store & Windows Store/Apple Store.

As almost all latest browser by default enable an option called "Server Certificate Revocation Check". what it does usually is it tries to connect to the Certified Authority to validate the certificate presented by the website . For a legitimate website the checks returns success. However for a fraud site most of the time there is no valid CA for browser to connect & hence it throws an warning as below . So be cautious of these below type of warning when visiting important websites.

In the further section or article , we'll get into more technical details of how an SSL/TLS works with some Network communication concepts & some Cryptographic technique . These terms although looks to be heavy but actually its not.

I hope the above have given you some idea technically how to detect a fraud and a legitimate website & will help you to keep safe your personal data, financial data as well you & your family from being a victim of any cyber crime.

If you however have any doubt , don't hesitate to ask me as a comment below.

Encourage me by share & subscription on this blog & on my youtube channel(https://www.youtube.com/channel/UCCic8ix-BgwAb48Fjyc7A9w) as a token of appreciation . Hopefully  I can write more stuffs further to help you understanding the security of technologies. After all we are moving toward technology oriented world very fast.

Let me not blabber anymore & let you take a break for now.

Hope to come soon with another post on this cybersecurity series.

Till then , stay safe, browse safe and Enjoy.

Thank you.

With Best Regards,
Avijit