What is a web certificate?

[Croton]

can anyone explain to me what a web certificate is and how I could attain one?

I read about them all over this forum, but i still haven't figured what it is...

thanks in advance!

 

[vi edit]

I could be speaking out of my ass, but a web certificate is what online venders use to track users.

Say you go over to buy.com and want to order something. When you sign up for an account, the server will interact with your browser and send you over a web certificate that is stored on your hard drive.

A couple years ago, when I first read up on them, online merchants had to buy the certificates from anywhere from $.50 a piece to upwards of $5.00 a piece. Once again, this was about 3 years ago when I read about them.

So, if buy.com sends you a certificate, everytime you visit their site from now on, buy.com see's that you have a certificate and realizes that it is indeed Croton that is trying to buy "The Girls of Hooters" on DVD

But then again, I could just be speaking out of my ass and missing it entirely

 

[Double Trouble]

Actually, I believe digital certificates bind a cryptographic key with one or more attributes of a user. Issued by certification authorities, the certificates protect the Internet by assuring the authenticity of network messages.

They basically allow the client computer to verify that the site it "thinks" it's communicating with is really who it claims to be. For example, site X, that wants you to do business with them has a nice system up that lets you use your credit card to buy something online. They could purchase a certificate from a company like THAWTE or VERISIGN and use it to prove to the client computers that you are communicating with the real site X, and not some spoofed site.

 

[Shazam]

tagej is correct. One addition: Most web servers can also generate their own certificates. If you ever get an error like "the certificate granter is unknown" when using a secure site, beware.

 

[Mark R]

Certificates can also be used the other way round.

In this case, You have your own certificate, and when you access a secured web site, you can provide your certificate which takes the place of a username and password. This has the advantage that the site administrators don't have to give out passwords.

I'm currently using this technique on a web site I'm developing to provide securely authenticated access to a web based site editor. When this is complete, users certificates will eventually be stored on personal smartcards for ease of use.

It's not difficult to get your own personal digital ID, although you typically have to answer all sorts of strange questions. Thawte (http://www.thawte.com) offer free personal certificates.

 

[IBhacknU]

This is a web certificate

http://www.webcertificate.com/webcert/

(STAY away from them though, AS THEY STINK!)

 

[GL]

Mark R is right. I've been doing an online shopping system for my work, and the financial institutions are REALLY pressing for each person on the net to have their own digital certificate so that they can confirm that you are you, and that you are certified to use the credit card number you enter during a purchase. Right now, consumers can confirm the identity of a business using a SSL certificate, but the business running the server can't verify the identity of you. I believe this new scheme is called SET. Anyhow, the logic behind a SSL certificate is that a third-party has confirmed the identity of the server...and as consumers we are supposed to trust these third-parties, known as certificate authorities. Thus, we can trust the server that possesses the certificate. The CAs actually checked with our company's lawyer before issuing our SSL certificate, so I guess you can put a reasonable amount of trust into these certificates.

-GL