DEV Community: Lumena Mukherjee

What Is a Code Signing and How Does It Work?

Lumena Mukherjee — Mon, 28 Dec 2020 08:58:38 +0000

A code or software can easily be tampered with by an attacker, and the unsuspecting end-users would be none the wiser. Hashing is used to check the integrity of files. It works as long as the hacker doesn’t compromise your website and the hashes along with it. Consider a scenario where a malicious file mimicking your program is uploaded along with the hash of the compromised software. A site visitor can easily get tricked into believing that the file was uploaded by a genuine developer. Once the visitor downloads and executes the application, the modified file then carries out some malicious activity. This is damaging to the user as well as the developer’s reputation. Most new developers and organizations struggle to get enough users to download and run their applications. Building trust and reputation takes time, and using a code signing certificate not only assures file integrity but can also circumvent Microsoft SmartScreen ‘Unknown Publisher’ warnings.

Let’s take a look at how code signing works and delve deeper into the purpose it solves.

How Does a Code Signing Certificate Work?

Using a code signing certificate enables a developer to place a digital signature on an application or an executable so that end users are able to verify the authenticity of the publisher and the file integrity before installing and running the program on their systems. If a program is signed, an attacker can no longer manipulate the content since it will not clear the integrity check and the signature becomes invalid. If we attempt to understand how code signing works, there are two sides to consider – the steps taken by the publisher to sign the code and what happens at the customer’s end. At the developer’s end, the first step is to obtain the code signing certificate from a reputed certificate authority (CA) and the validation process typically takes a few days. Next, the developer generates a one-way hash of the program executable and encrypts it using the private key associated with the certificate. The hash and the certificate are bundled along with the application before releasing it to end-users.

At the customer’s end, the user decrypts the hash using the public key and compares this value to a newly generated hash of the downloaded executable. If a match occurs, it indicates that the application has not been tampered with since it was last signed and it is safe to be installed and executed.

Types of Code Signing Certificates

There are two types of code signing certificates offered by most CAs – standard code signing and EV code signing certificates. The primary difference between the two lies in how they deal with the Microsoft SmartScreen filter. With the standard code signing certificate, they continue to appear up until the developer builds their reputation. Whereas with EV code signing that thoroughly verifies the developer’s identity, these warning messages are removed.

In Conclusion

Hopefully, you now have a better understanding of code signing certificates and where they’re often used. When it comes to opting for a self-signed code signing certificate, note that a self-signed certificate will not work outside of your network. It is because browsers and machines outside your network don’t have your public key in their trust root store. Choosing between a standard code signing certificate and an EV code signing certificate also depends on your specific requirements and financial feasibility.

Difference Between Digital Signature and Digital Certificate

Lumena Mukherjee — Thu, 30 Jul 2020 07:12:54 +0000

Starting with man-in-the-middle attacks to fake illegitimate websites, attackers have often taken it upon themselves to sniff out our credentials, conversations, or other sensitive details. Fortunately, we have technologies that we can leverage to secure our communications. With HTTPS, it is now possible to set up a secure connection between two endpoints. Similarly, it is possible to digitally sign our emails, software, etc. Digital certificates and digital signatures provide a way to encrypt our data and assure its legitimacy in terms of who is sending the message or if the server you’re connecting to is who it says it is. Let’s understand what they are and the role they play in securing our communication.

What is a Digital Signature?

The National Institute of Standards and Technology (NIST) issued the Digital Signature Standard (DSS) in 1991. It uses the Digital Signature Algorithm (DSA), a Federal Information Processing Standard, based on public-key cryptography. A digital signature is a cryptographic technique that provides message integrity, authentication, and non-repudiation to a message, software, or digital document. It validates the sender’s identity and assures that the message is free from any undesirable alterations. A digital signature is associated with two keys – public and private. The public key is used to validate the sender's authenticity, and the private key is used to create the signature itself. Presume two friends, Alice and Todd, want to communicate securely and ensure that the message truly is coming from the other, without being modified. Let’s see how this would work if Alice were to send a message to Todd.

Alice generates a one-way hash of the message (if she were signing a software, she would hash the executable file) and encrypts it using her private key.
Next, the message along with the digital signature is transmitted.
Todd decrypts the hash using Alice’s public key. This step verifies that Alice indeed sent the message since only she could encrypt the message with the corresponding private key.
Todd then creates a new hash of the message and compares it with the one generated by Alice. The two values must match in order to maintain integrity.
If they do, it indicates the message hasn’t been tampered with since Alice last signed it.

What is a Digital Certificate?

Digital certificates, also known as SSL/TLS certificates, are a type of X.509 certificates. They are used to establish an encrypted communication channel between the client and the server. Every time you visit a site with a padlock running over HTTPS, you’re communicating via a secured link that uses SSL certificates. According to Research and Markets, the global market value of digital certificates is projected to grow 10% annually to $123.8 million in 2023. These certificates are typically issued by trusted third party certificate authorities (CA). The time and effort required depends upon the validation level of the certificate (domain validation, organization validation, or extended validation). The CA assesses and verifies the evidence submitted before signing and sending a certificate to the applicant.

Digital Signature vs. Digital Certificate

Though both digital certificates and digital signatures are both used to communicate securely, one secures the actual data, and the other establishes trustworthiness. Let’s take a look at the table below to better understand their similarities and differences:

Digital Signature	Digital Certificate	Comparison Criteria
Purpose	A digital signature authenticates the signer claiming to send or create the message or software.	A digital certificate is a file in X.509 format that’s typically used on websites to identify the site and establish trust in its users.
Security	A digital signature is the actual electronic authentication mechanism that authenticates the signer, assures integrity, and provides non-repudiation.	A digital certificate is used to bind the signature to an entity. It provides authentication and security.
Process	The message is hashed and encrypted by the signer using a private key before it is sent. The receiver uses the signer’s public key to decrypt and read the message. They can also hash the message again and compare the two hashes to verify message integrity.	After the CA conducts its vetting process and issues the certificate, the applicant needs to install it and configure their client or server to enable HTTPS. Once that’s in place, the connection itself is established, starting with an SSL/TLS handshake.

SSL/TLS Handshake Failed Errors — Its Types and Learning How to Fix Them

Lumena Mukherjee — Tue, 30 Jun 2020 08:44:26 +0000

Irrespective of whether you’re an end-user or a site owner, running into SSL errors can be extremely disruptive to the overall browsing experience, and they do very little to boost trust and confidence in a website. But here’s the pickle – the site might be loading correctly for a majority of client browsers indicating an issue with your client, or it could be a server issue causing the error. In this article, we’ll explore the problems that can potentially cause the fault on both sides, but first, let’s get a brief overview of how SSL handshake works.

What is the SSL/TLS Handshake?

Whenever your browser attempts to connect to a website that employs an SSL/TLS certificate for encrypted communication, it does a handshake to agree on the connection parameters that’ll be used during communication.

Let’s do a quick study of the negotiation process:

After the three-way handshake, the SSL/TLS handshake begins with an exchange of hello messages between the client and the server.
The hello messages start the protocol negotiation, encryption standards supported by both ends are communicated, and the server shares its certificate.
The client establishes the validity of the certificate, and once the verification process completes, it generates a pre-master secret based on the public key of the server (obtained from the certificate previously shared). The client key exchange completes once this secret key is encrypted using the server’s public key and shared with the server.
Next, the symmetric key is calculated independently on both ends, depending on the value of the pre-master key.
Both the client and the server send a change cipher spec message to indicate that going forward, the data transmission will proceed using symmetric encryption.

Probable Causes of SSL/TLS Handshake Failed Error and How to Fix Them?

TLS handshake might not be the easiest process around, and though there’s a possibility that it might fail and you’d be left with an error, there’s a very good chance to fix that and get going with a secure communication channel. Website visitors can't fix all errors since some arise due to issues on the server that needs to be taken care of by the site owner.

Client Errors

Most of the client-side errors are trivial and can be easily fixed with an update or a small change in settings. Nevertheless, even these minor glitches can interrupt the entire handshake process, so let’s go over what they are and how to resolve them.

Incorrect System Time

Because SSL/TLS certificates come with a specific time duration for which they’re valid if your system date and time settings are not correct, then that could be causing the handshake to fail. Fixing it is fairly simple since all you need to do is set the system time correctly.

Browser Error

Sometimes it’s just your browser acting weird. Solution? Try a different one. Determining the exact plugin that might be misfiring, or the particular misconfiguration that’s causing the connection to a legitimate site to fail, can be a tad bit difficult. Once you’re certain that it is a browser issue and rule the others out, you can simply reset the browser to default settings and disable plugins (do this one at a time to bring out the plugin getting in the way).

Man-in-the-Middle

A man in the middle attack is said to occur if a hacker intercepts your traffic to steal data. However, a firewall or antivirus that inspects traffic to weed out anything malicious or some configuration on an edge device on the server-side network could as easily be the culprit causing the connection to fail. Depending on where the issue arises, the fix could either be on the client-side or the server-side. If it is on the client-side, never disable your firewall or antivirus instead create an exception for the site or add it to a whitelist.

Server-Side Errors

The majority of the SSL errors involve settings that need to be tweaked on the server or are a result of server-side issues. While most can be fixed with a simple update, some errors are best left alone, especially when it comes to older deprecated protocols supported by the client. Let’s take a look:

Protocol Mismatch

This error indicates that the version of TLS being used or supported by the client and the server do not match. The error can occur on either side, but the important thing to remember is always to use and support the latest protocol versions (TLS 1.2, TLS 1.3) as using an older version is never a good idea. For example, if the client browser supports TLS 1.1, and the server uses TLS 1.2, the client needs to upgrade the browser or add support for the latest version.

Cipher Suite Mismatch

Most websites have support for various cipher suites so it can communicate with most clients and can find an encryption standard they can agree upon. However, when this fails to happen, we usually end up with a cipher suite mismatch. As with protocol versions, the idea is to move forward and support the latest versions because they typically offer more security.

Incorrect SSL/TLS Certificate

If your site gets flagged as an insecure connection on a client browser, it could potentially indicate a problem with the SSL certificate, such as an expired certificate, a name mismatch, or a broken chain of trust.

Incorrect Host Name

A hostname mismatch occurs when the common name on the certificate is different from the hostname. Typical fixes involve reissuing the certificate or using a wildcard cert.

Incorrect Certificate Chain

When a browser receives the server certificate, it needs to be able to trace its way back to the root CA in its trust store. If this fails, it could be due to a missing intermediate root certificate. Depending on where you purchase your cert from, the CA bundle should be available on the site or shared with you via email. You can use an SSL checker to verify that you’ve installed your certificate correctly on the web server by entering the IP or the URL.

Expired/Revoked Certificates

The maximum validity period for an SSL/TLS certificate is two years (plus three months at most if you’re carrying over from your previous certificate). Failure to renew your certificates on time can lead to this error, and the solution is to get a valid certificate issued and installed on your server.

Self-Signed Replacements

When it comes to self-signed certificates, while they’re commonly used on internal networks, using them on the public internet will cause browser errors. Clients do not usually have their root CA in their trust store by default, and it needs to be added manually before the browser can trust the certificate.

In Conclusion

The security impact of visiting a site with an invalid SSL certificate can be significant because the communication is unencrypted, and an attacker can easily intercept and read all the information. Additionally, it could be indicative of a malicious website that can give you a whole world of headaches. If the site you’re visiting is unable to offer you a safe browsing experience, perhaps you’re better off not visiting it at all. As a site owner, every time a user lands on your page and sees an insecure connection warning or SSL error messages, your brand takes a hit. It is, therefore, practical to invest in a certificate from a trusted CA with access to a support team to help fix any installation issues or errors.

Client Certificate vs Server Certificate

Lumena Mukherjee — Wed, 17 Jun 2020 07:19:18 +0000

Let’s take a closer look at client and server certificates, and the difference between the two.

In recent times if you’ve tried to access a website and not been greeted by a “Not Secure” warning, you’ve used a digital certificate. Every website that doesn’t have an SSL/TLS certificate installed on the web server is flagged by Google and throws up a security warning. SSL certificates are a type of X.509 certificate that’s used for encrypted browsing. Both client and server certificates help us to communicate securely using an encrypted channel. Let’s get a better understanding of the specific purpose that they solve before getting started with a discussion on their differences.

What’s a Client SSL Certificate?

Client certificates are used to authenticate the client and validate their identity before granting access to the server. Client certificates prove their identity to a remote server and are based on the X.509 format. X.509 is a standard that defines the format for public-key certificates, verifies the identity of the certificate holder, and maps a public key with the user, computer, or service. Consider a scenario in an organization’s corporate network where a central server holds some confidential files. Even if accessing those files require a password, what’s the assurance that an attacker won’t be able to brute force and gain access? Using a client certificate solves this problem as the identity of the client or user is not assessed on the basis of whether they know a password, but it relies on the systems they use. But if a user requests access from a client machine that has permission and whose identity has been validated, the server knows it’s talking to a legitimate entity. Adding another layer of security, such as applying multi-factor authentication, strengthens the defenses against any potential attacks.

What’s a Server SSL Certificate?

Server certificates serve a twofold purpose of authenticating the server's identity and providing a secure, encrypted communication channel between the server and the connecting client. Server certificates are referred to more commonly as SSL/TLS certificates and are responsible for upgrading an HTTP to an HTTPS connection. Whenever you type in a website in the address bar or connect to a system by using its hostname, you’re making use of a server certificate.

Difference Between Client Certificate vs Server Certificate

Now that we have an idea about what these certificates do, it’s time to draw a comparison to better understand them relative to each other. Aside from the evident difference in terms of which party they authenticate, client or server, they differ greatly in terms of their operation. Server certificates are used to encrypt the information exchanged between the client browser and the web server. However, client certificates do not encrypt any data and are solely responsible for authenticating the client’s identity to the server. The table below summarizes the similarities and the differences between the client certificate and the server certificate:

Client Certificate	Server Certificate
A client certificate is used to identify a client or a user and authenticate them to the server.	A server certificate authenticates the server’s identity to the client.
Client certificates do not encrypt any data. They only serve as a more efficient authentication mechanism than passwords.	Server certificates encrypt the data-in-transit to ensure its confidentiality.
Client certificates are based on the public key infrastructure (PKI).	Server certificates are also based on PKI.
Object identifier (OID) for client authentication is 1.3.6.1.5.5.7.3.2.	OID for server authentication is 1.3.6.1.5.5.7.3.1.
Client certificates have an “Issued To” and an “Issued By” section.	Server certificates also have the same two fields.
Example: E-mail client certificates	Example: SSL certificates

How to Solve ERR_SSL_PROTOCOL_ERROR in Google Chrome

Lumena Mukherjee — Thu, 14 May 2020 12:07:44 +0000

Most of us have run into certificate errors, sometimes even when we try to access legitimate and well-known sites. If a recent disruption in accessing a website made you look around frantically for fixes to resolve ERR_SSL_PROTOCOL_ERROR in your Chrome browser, there might be some tips that can eliminate this issue and restore your access. What causes this error? There can be several reasons for it on the client-side as well as server misconfiguration errors. However, we’re going to focus on what can be done as an end-user to resolve them instead of breaking our heads over what’s causing it. Let’s get started!

TROUBLESHOOTING: ERR_SSL_PROTOCOL_ERROR in Your Chrome Browser

The first step, before you even attempt to fix the error, is to use the SSL Checker tool to verify that the certificate was installed correctly on the web server you’re trying to access. There could be a name mismatch or a broken chain of trust on the server’s end, and there’s not much that you can do as a site visitor. Having said that, if the issue requires a client-side fix, try the solutions one after the other, and with any luck, one of them should work for you.

Set the System Date & Time Correctly

Clear Chrome’s Cache and Cookies

Corrupted browsing data can sometimes cause error messages like ERR_SSL_PROTOCOL_ERROR to appear in Chrome. If configuring the system date and time did not resolve the issue, try clearing Chrome’s cache and cookies. To do so, press Ctrl + Shift + Delete keys on the keyboard. If erasing the cache and deleting cookies didn’t help resolve this issue, move on to the next one.

Clear the SSL State

Every time you connect to a website, setting up a new SSL connection takes time. SSL certificates are cached and stored on our local machines for quicker retrieval, and they remain there till we shut down our systems. This can lead to the certificate getting corrupted, or any changes in the actual server certificate could lead to this error as you’d still be working on the cached version. You can clear the SSL state which can help us to eliminate this issue by following the steps below: Go to the start menu, type in inetcpl.cpl. On the dialog box named Internet Properties that pops up, go to the content tab and Clear SSL State.

Disable the QUIC Protocol

QUIC (Quick UDP Internet Connections) is Google’s experimental general-purpose transport layer network protocol. On the Chrome browser, go to chrome://flags, and search for ‘experimental QUIC protocol’ in the search field. If enabled (by default), disable this setting and restart the browser.

Delete or Reset Hosts File to Default Settings

Unusual modifications to the hosts file can cause your traffic to be redirected and can cause error messages to appear. Deleting them or reverting them to the default settings can help us to fix this error. In Windows, you can access the hosts file by typing in – C:\Windows\System32\drivers\etc in the search space the Run program (Windows key+R). Linux users can find the hosts file in /etc/hosts, and iOS users can look in the /private/etc/hosts directory.

Update Your OS and Browser

Outdated applications can not only be insecure but may also have compatibility issues that can be the source of endless troubles. Installing the latest updates and patches for your operating system, as well as your browser will keep your system secure and may help remove this error.

Disable Chrome Plugins or Browser Extensions

If you can access the website in incognito mode, there’s a very good chance that one or a few plugins or browser extensions could be interfering and responsible for the SSl error. Go to chrome://extensions/ and disable each, one at a time, and try accessing the site. On finding the extension that’s causing the error, you can choose to remove it or keep it disabled.

Wrapping Up

If all else fails, you can temporarily turn off your antivirus or firewall since these can sometimes block connections due to websites using outdated protocol versions. However, it is not a recommended practice to disable your firewall or to disable SSL warnings as there may be serious security implications, but it might temporarily let you access the site.

Hopefully, one of the above fixes cleared up the error message for you to give you an uninterrupted and safe browsing experience.

DEV Community: Lumena Mukherjee

What Is a Code Signing and How Does It Work?

How Does a Code Signing Certificate Work?

Types of Code Signing Certificates

In Conclusion

Difference Between Digital Signature and Digital Certificate

What is a Digital Signature?

What is a Digital Certificate?

Digital Signature vs. Digital Certificate

SSL/TLS Handshake Failed Errors — Its Types and Learning How to Fix Them

What is the SSL/TLS Handshake?

Probable Causes of SSL/TLS Handshake Failed Error and How to Fix Them?

Client Errors

Incorrect System Time

Browser Error

Man-in-the-Middle

Server-Side Errors

Protocol Mismatch

Cipher Suite Mismatch

Incorrect SSL/TLS Certificate

Incorrect Host Name

Incorrect Certificate Chain

Expired/Revoked Certificates

Self-Signed Replacements

In Conclusion

Client Certificate vs Server Certificate

Let’s take a closer look at client and server certificates, and the difference between the two.

What’s a Client SSL Certificate?

What’s a Server SSL Certificate?

Difference Between Client Certificate vs Server Certificate

How to Solve ERR_SSL_PROTOCOL_ERROR in Google Chrome

TROUBLESHOOTING: ERR_SSL_PROTOCOL_ERROR in Your Chrome Browser

Set the System Date & Time Correctly

Clear Chrome’s Cache and Cookies

Clear the SSL State

Disable the QUIC Protocol

Delete or Reset Hosts File to Default Settings

Update Your OS and Browser

Disable Chrome Plugins or Browser Extensions

Wrapping Up