Figure 10 - Certificate Details

Something is very wrong here. We went from yellow warning symbols and green checkmark to a big red X symbol. We have a 128 bit SSL secured session with the HP MFP but we now have a big red X indicating a trust problem.

This problem is best explained through an example. Let’s assume that you are a famous celebrity and that you are having an electrical contractor work on your mansion. The contractor completed the work but will only accept cash as payment and you don’t have any cash on you. You have to go to the Automated Teller Machine (ATM). You summon 10 bodyguards and get into your armor plated limousine and go to the shopping mall. The bodyguards surround you and you go to the first ATM you see and put in your card and punch in your PIN#. The ATM returns the message: “Temporarily out of service” and gives you your card back. You then go to another ATM and get the money and return home. The next day, your bank account is cleaned out. You assume that one of your body guards saw your PIN # and “borrowed” your card while you were sleeping. You fire all your bodyguards. Was that the correct thing to do?

Probably not. You were most likely a victim of a fake ATM machine. You went to the ATM machine in a secure fashion. You left the ATM machine in a secure fashion. You just went to a non-trusted ATM machine! The same type of attack exists with SSL/TLS. To avoid being a victim of this attack, we need to pay attention to the digital certificate and to the dialog boxes associated with the SSL/TLS connection. In short, although we used HTTPS in this example to “secure” our session with the HP MFP, we actually are not secure and what is worse, we probably have a false sense of security. In order to utilize SSL/TLS securely, we need to learn more about digital certificates.

8