• View
• Edit
• History
• Print

Website Security

Background information

To communicate securely with organisations’ websites, users have to have some way of knowing to whom they are talking. This is done through the use of ‘security certificates’, which work as follows (this is simplified, but the principle is the same): the organisation’s website has a certificate, and the user’s web browser also has one; the web browser checks the website’s certificate, and if it matches the one it’s got then communication between the two parties can be encrypted and secure.

However, a problem arises: how does the web browser get its own copy of the certificate, to check against? Because of course it wouldn’t be any good for the website to just send a copy down the line, because at that point we wouldn’t know if it was actually the website we thought it was; it might be someone else, someone we don’t trust. So the answer is to pre-install a whole heap of certificates in web browsers. These are the certificates of companies like Verisign, Thawte, and Digicert — companies that charge organisations up to many thousands of dollars to use their certification services. But there are other ways of getting the same level of security, without paying too much (or even anything).

CACert is a non-profit certification authority, providing cheap and free security certificates to millions of people all over the world. There is only one catch: the CACert certificate doesn’t come pre-installed in very many web browsers, and so when you come to use our secure website you are presented with a scary-looking ‘security alert’. This just means that the CACert certificate needs to be installed in your browser, and that’s easy to do.

How to get rid of those ‘security warnings’:

If your web browser prompts you with a security warning about an issue with our security certificate, please install the CACert certificate:

• Most users can simply click here and, before approving the installation of the certificate, check that its ‘fingerprint’ matches the following:
• Fingerprint SHA1: DB:4C:42:69:07:3F:E9:C2:A3:7D:89:0A:5C:1B:18:C4:18:4E:2A:2D
• Fingerprint MD5: 73:3F:35:54:1D:44:C9:E9:5A:4A:EF:51:AD:03:06:B6
• If this doesn’t work for you, have a look at how to add the CACert certificate to a browser, from the CACert wiki.

Another measure that helps with your personal security on the internet is your choice of web browser: Firefox is an open-source, fast and flexible browser, and is very secure. Get Firefox today!.

Please note that the information above is greatly simplified for the sake of explanation, and if you would like to understand internet security more thoroughly we recommend that you do some further reading. Riseup has a good tutorial about internet security, from both technical and social aspects, or have a look at the Wikipedia article about Transport Layer Security.

Note: Our GPG public key can be found on the pgp.mit.edu keyserver, or at act.greens.org.au/public-key.asc; please telephone the office to confirm the key’s fingerprint.