When I try to visit a web site on the va.gov domain, I get a message that
the security authority that issued the certificate (Cybertrust Public Issuing
CA 1) is “unknown.” I don’t get that message when I use Firefox 14, although an
update is pending on the same machine. I’m using Safari in the original case.
Is Safari pickier than Firefox when it comes to certificates?
In this excerpt from
Answercast #57, I look at the chain of certificates, how they can be used to
verify a site, and how it may go wrong.
Become a Patron of Ask Leo! and go ad-free!
Security certificates
Pickier is probably the wrong word. This goes back to what are called “root
certificates.”
There are a set of root certificates from which all “trust” for all websites
that use certificates is derived. So, for example, there might be a root
certificate from (I don’t know, I’ll just choose…) VeriSign – and that root
certificate might sign and cause another root certificate to be trusted; and
that certificate might be the one that actually causes the certificate
used on a website like va.gov to be understood or to be valid.
Now, all the browser has to do is have installed in it, the “root”
certificate. In other words, the certificate at the top of that chain.
As long as that certificate is in place, and everything else kind of, sort of
does the math properly, then you will end up with a trusted certificate at the
bottom for va.gov.
Browsers don’t have all certificates
The problem is that there are a lot of root certificates.
It depends a lot on which browser you’re using, as you’re seeing. Some of
them have something like a couple hundred different root certificates that they
trust implicitly. By trusting those root certificates, then any website that those root certificates trust are trusted by your
browser.
200 is a lot, and they can encompass certificate-issuing authorities from
all over the planet.
Many browsers simply don’t install the full set when you install the
browser:
-
Internet Explorer comes with a bunch that’s basically part of Windows and
Windows Certificate Management. -
Firefox (I think, if you’re running Windows) relies on its own set of
certificates that it brings with it when you install it. -
Chrome on Windows I think relies on Windows’ own installed
certificates. -
On the Mac, with Safari, I’m actually not sure where the certificates set
comes from: if Safari is using its own set or if it’s relying on what’s
installed on the Mac?
Like I said, I know that Firefox brings its own set of root certificates
with it – so it apparently has a larger set or at least includes a root
certificate that encompasses the va.gov server.
How to solve this?
Just use Firefox!
To be honest, in your shoes, I would use Firefox. I would just sidestep the
issue completely and continue to use Firefox to access that site.
I think you mentioned that you did send feedback to the va.gov site, which
is good because they probably should know about this. But ultimately, they may
or may not be willing or able to do anything about it.
It’s unclear whether they should be using a different signing
authority or whether Safari should be including an appropriate root
certificate, so that this certificate is valid. There’s simply no way
to argue that one. It could go either way.
So from a very practical standpoint, I would strongly suggest that you
simply continue to use Firefox for this kind of thing when you’re visiting that
site and hope that eventually va.gov and Safari kind of, sort of duke it
out.
This isn’t the first time I’ve heard of issues like this with respect to
Safari, so it doesn’t really surprise me. It’s just one of those things that is
a sad and unfortunate reflection of what is a fairly messy system that allows
certificates to be issued for websites.
Next from Answercast 57 – Why do I get “write protected” when I copy a file to an external destination?