The MAG Server - Security Certificates

What is a server certificate?

When you communicate with your bank, or buy something online you expect your information to remain secure. How is this done when you are sat in a public place on WiFi though? The answer is a technique called cryptography, literally "Secret Writing". If you look at the the link name it will start with "https" rather than the usual "http". This means that the first thing that is done when your web browser connects to that site is to set up encryption for that connection. The web server and your web browser will talk to each other and heavily encode the connection so nobody else can listen in on what you are saying across that link. Part of this to and fro is for the web site to have a "Security Certificate", which is a file, given to the webmaster by a "Certifying Authority" or "CA" to load into the site. This means that the CA has checked out the site and verifies that it is what it says it is and this usually costs quite a lot of money.

Why use CAcert

In order to save money, MAG has opted to use a free CA called CAcert (http://cacert.org/). The advantage is that MAG does not waste valuable member donations on a small file's worth of data. However, there is currently a disadvantage to using CAcert in that not all web browsers and mail programs know who they are. This can be a small problem in that in order to complete the sequence properly, the certificate the provider gives to the webmaster is compared to the certificate built into the web browser or mail program and if the server certificate does not match with the certificate built into the browser, there will be an error message. This is however an easy workaround.

How do I stop the security error in my web browser?

In order to stop the security error, once and for all, you will need to load the CAcert root certificates into your web browser or mail program. This is a very simple and quick procedure. For your web browser all you need to do is go to http://www.cacert.org/ and then select "Root Certificate" On that page you will see two main paragraphs, titled "Class 1 PKI Key" and "Class 3 PKI Key". Each paragraph has a bunch of links. You need to click one link out of each paragraph. If you are wanting to install the certificates into Internet Explorer 5.x or 6.x then you will need to click the link with that name, otherwise use the link marked "(PEM format)". When you click the link, you will be asked what you want this certificate to certify for you; please select all the options. Once you have done both the class 1 and class 3 certificates, you will not see the security error message again; unless of course there is a genuine security problem.

How do I stop the security error in my email program?

The security system used to protect your web transactions is also used for many other different kinds of communications on the internet. Another important one for MAG is protecting your email username and password while picking up and sending email. This is done using the exact same certificates as used by the web site. It therefore suffers from the same short term problem. The solution to this problem is the same as for the web browser, except that there is an additional step in between. You need to go to the same web site as above, ie http://www.cacert.org/, but this time, instead of a normal left click on the links, you would right click and elect to save the file to disk. Then you should open your mail program, start a new message, address it to yourself and attach the two files you downloaded from the CAcert website. When you receive them, just click on the attachments and they should then import. You should again select all of the different ways in which the certificates can be used as you did with the web browser. This should now stop your mail program from objecting to the certificates used by the MAG mail server.

Slideshow

Slideshows for Thunderbird and Firefox 6.0.