Have you ever been browsing the Internet and seen a screen like this:
This is your browser telling you that it can’t be sure of who’s on the other end of your data transaction. SSL (the encryption technology used whenever you type in a URL that starts with https://) ensures that your data is transmitted securely between two endpoints. But what if the endpoint that you think is, say, Facebook, is really just someone pretending to be Facebook? We call this a “man-in-the-middle attack,” and it’s the most significant threat to the security of your data in transit across the Internet.
Certificates are what make sure that the endpoint is who you think it is. A certificate is a key set that is assigned to (e.g.) a Web server by a certificate authority (CA) — a company that is trusted to assign certificates only to the authorized owner of a domain name. Your computer comes pre-programmed (by your OS vendor or Web browser vendor) with a list of valid CAs, and using digital signatures, your computer can verify that the certificate a Web server presents to you was signed by a valid CA.
If all this is confusing, no worries: the tl;dr version of this is: If you see a screen like the one above, your computer wasn’t able to confirm that the endpoint is valid because it didn’t present a valid certificate. You should understand that if you tell your computer to proceed anyway, your information may be going to a hacker (whether or not that hacker has a badge). If the site you’re trying to access is a bank, your e-mail account, or pretty much anywhere else that asks for a password, financial information, or anything else you might want private, don’t proceed and contact the owner of the Web site.
This is one of a 30-part series, “No Surveillance State Month,” where daily for the month of June I’ll be posting ways to avoid invasion of your privacy in the digital age. The intent of these posts is not to enable one to escape detection while engaging in criminal activity — there’s still the old-fashioned “send a detective to watch you” for which these posts will not help. Rather, this series will help you to opt-out of the en masse collection of data by the government and large corporations that places Americans in databases without their knowing and freely-given consent for indefinite time periods. We all have the right to privacy, and I hope you demand it.