Ludovic Frank - Freelance developer

In the address bar, there's a little green padlock. What does it really mean?

ionicons-v5-k Ludovic Frank May 14, 2021
84 reads Level: Beginner

New week, new article!
How are you? The wife? The kids? The goldfish? (is the goldfish important?)

This week we're going to try and figure out what the padlock in your browser's address bar means, so yes on this site there is one (there, I've just saved you the trouble of looking up to check).
Naaaaaa but don't go away, it's an interesting subject! promise?.

Before you start

I'm redirecting you to the "asymmetric encryption" paragraph of my article on ransomware, because there's no point in rewriting it in this article, but you'll need it to understand the rest.

By the way, thank you, I see you're enjoying the ransomware article! You're at the top of your game.

What does the padlock in the address bar mean?

It means that the protocol used between your terminal and the server is the httpS protocol. The HTTP protocol is what allows web pages (among others) to transit over the network, and the S simply means that this is the secure version of this protocol.

For the connection to be valid, the server must be able to provide a security certificate, which is in fact a valid public key.
(ah! well, I warned you to reread the article on ransomware?).

Once the server has been able to provide a valid certificate, the server and client agree on an "encryption key" that will be used when browsing the site (imagine having to go through this procedure again every time you change pages, that would be LOOOOONNNGGG .... No, there's no joke here, that would have been in bad taste?

How do you check that the server provides a valid certificate?

Trusted authorities

As always, it's all a question of trust. There are companies or associations whose job it is to verify the identity of a person or structure.Once the verification procedure is complete, the trusted authority signs the verified company's certificate with its private key (what ... you still haven't read the article on ransomware? No way! Okay, I'll stop with the joke...).

Trust stores

Your terminal (Computer, Smartphone ... etc.) contains what's known as a "trust store", which may be part of the operating system (Windows, macOS, iOS, Android ...) or the browser (as in the case of Firefox, which has its own trust store).
This store contains all the public keys (no... hold it Ludo ... don't make the joke ... hold it!) of the trusted authorities.

So how does the terminal know that the certificate is valid?

Well, it doesn't! It's simple: it checks that the certificate issued by the server has indeed been signed by a trusted authority, and to find out, it draws on its store of trust. If it matches, then yes, the certificate is valid.

It is also possible to add a public key to the trust store.
Ah, here's the problem: before I told you about it, did you know what a trust store was? (Yes? No? Maybe? Answer D?)

Now you need to know that you can add new public keys to it, which is what some antivirus programs do, by the way. They add their public keys to the "trust store" put between you and the site server, and then generate a certificate that your browser will deem valid, because it will be signed by a "trust store recognized authority".

This method is called "The man in the middle", putting yourself between you and the server... and if you've followed correctly... It's possible, for example, to somehow install a public key in your "trust store" and then... put yourself between you and the Internet, çThis can happen in a company, for example, since the Internet connection goes through a server called a "proxy". The "proxy" can perfectly well come between the client terminal and the server, if the client has the proxy's public key in his trust store (otherwise you'd get a big RED message).

How to protect yourself?

If you click on the padlock, you can see "why" your browser considers the site to be trustworthy, and above all, you can see all the certificate information. On paypal.com, for example, you can see this:

Alternative Paypal certificate

This means that the authority that verified PayPal's identity is "Digicert", the private keye used to sign PayPal's certificate was generated on October 22, 2013. So we're in the clear.

If you take a look at my site, it's Let's Encrypt that verifies my identity (I'm me. Yes, I am. I swear?).

Bonus: several levels of verification.

In fact, there are several levels of verification, generally linked to assurances for the company being verified

there are the small, simple certificates, such as mine:

developpeur-freelance.io's certificate

You can see that just the domain (developper-freelance.io) has been verified in my case.
And in other cases, there are certificates that certify more things, for example Stripe :

Stripe certificate

Here you can see that the certificate contains information about the verified company.

Conclusion

The idea of this article is to help you understand how HTTPS works, so that you can stay safe on the Internet.
See you soon.