Loading...
 
ESA > Join & Share > SSE > SSE Security Certificates
Print

SSE Security Certificates

Important note: From 22 July 2009, both SSE Portals (Test and Operational), as well as the Join and Share Area itself, are using trusted Verisign certificates. Hence, the information below which is specific to the SSE (including the ESA CA certificates) is obsolete. A lot of it still applies however to other HTTPS websites which use untrusted certificates.



The SSE uses the HTTPS protocol to protect user passwords by encrypting them when SSE registered users or Service Providers attempt to login on the SSE Portal.

HTTPS works by means of an SSL (Secure Sockets Layer) certificate which is installed on the server. There are several types of certificates, providing increased levels of security. On the SSE, up until April 2009, a so-called self-signed certificate - the most basic type of certificate - was used for this purpose. From the end of April 2009, the SSE started using a certificate signed by the ESA certification authority (CA).

The ESA certification authority is a recent facility introduced by ESA to provide SSL certificates for ESA projects and is still very much a work-in-progress. In particular, it is not expected that certificates provided by this CA will be signed by a so-called trusted root CA (e.g. Verisign) before the end of 2009.

But what does all this mean to SSE registered users and Service Providers?


Web Browsers such as Internet Explorer, Mozilla Firefox and Google Chrome handle SSL certificates differently and also have different stances towards how the user should be informed of potential security hazards. In all cases, however, when accessing the SSE from anywhere in the world for the first time, a browser will always warn or let users know that they are entering a protected/encrypted area of a web site (such as the SSE login page) and, if applicable, of any potential problems with the server's SSL certificate.

It should be noted that using an HTTPS-enabled website such as the SSE, no matter how basic the certificate is - and of course when not in the presence of a security attack - is always much better than using a non-HTTPS enabled website. But curiously, in the latter case, even though all information (including passwords and credit card numbers) is being transmitted in clear text (not encrypted), users will not get browser warnings like the ones below and will probably have a more secure feeling, even if this is completely false.

Internet Explorer (version 6, but similar instructions for later versions)


Internet Explorer shows a confirmation dialog similar to the one below when it encounters a certificate that it cannot trust.

Image


This happens in the case of SSE if the user's browser does not contain the ESA CA certificates. The user can always proceed if he wishes to by clicking 'Yes' but it is recommended that the ESA certificates below (Root, Issuer, Policy) be imported to the browser.

This can be done by downloading all of them to disk and then going to Tools->Internet Options->Content->Certificates... . Files ESA_Issuer-CA-01_certificate.crt and ESA_Policy-CA-01_certificate.crt should be imported on the "Intermediate Certification Authorities" tab, while the file ESA_Root-CA_certificate.crt should be imported on the "Trusted Root Certification Authorities" tab. Importing is done by clicking "Import...", clicking "Next >", choosing the certificate file from the disk and then clicking "Next >" again on all remaining steps.

Performing these steps will make this Internet Explorer confirmation dialog disappear, making your user experience better.

Mozilla Firefox (version 3.0.10)


Mozilla Firefox is more cautious in the presence of certificates it cannot trust and prints out a more blatant warning:

Image


Many users may prefer not to proceed in the presence of such a warning, although you will find it in many other perfectly legitimate websites using HTTPS. In the large majority of cases, there is no security hazard in proceeding by creating a Security Exception and since this warning is expected for the SSE, this should be the way to proceed.

Creating a Security Exception in Firefox for the SSE is done by clicking "Or you can add an exception...", then "Add Exception...", "Get Certificate" and finally "Confirm Security Exception".

Unfortunately, due to an apparent bug in Firefox (more details here), even importing the ESA certificates to Firefox does not make the warning go away. In any case, importing the ESA certificates to Firefox can be done after downloading them (Root, Issuer, Policy), under Tools->Options...->Advanced->Encryption->View Certificates->Authorities, by clicking "Import..." and selecting the certificate files from disk. As can be seen from these dialogs, Firefox has quite a different (and flatter) way of organizing certificates.

Google Chrome (version 1.0.154.59)


Google Chrome shows the following warning in presence of a non-trusted certificate:

Image


Just clicking "Proceed anyway" is enough to let you use the website, but once again, importing the ESA certificates (Root, Issuer, Policy) is recommended. In Chrome, this is done by clicking the Image icon, Options->Under the Hood->Manage certificates. Interestingly, Google Chrome uses exactly the same dialog as Internet Explorer for certificate management. The advantage of this is not only that the certificate importing instructions and user interface are the same. In fact, the two browsers share the same certificate repositories (keystores), which means that once the ESA certificates are imported on Internet Explorer, they will also be so for Google Chrome and vice-versa.

The final important alert for SSE users using Google Chrome is the warning text on the above picture "You should not proceed, especially if you have never seen this warning before for this site.". Even though the intentions behind this warning are, of course, good, a user will find this warning in legitimate cases, that once again do not present a security hazard. This warning may be found for example when the used certificate, while continuing not to be from a trusted root CA, is renewed or issued by a different non-trusted CA.


Contributors to this page: SSE Operations Team

.

Page last modified on Tuesday 18 of September 2012 11:19:30 CEST by SSE Operations Team.