Connecting To Websites With Self-signed Certificates

What is a certificates?

As the Web is becoming a more security conscious space, all the major Web browser makers (Google Chrome, MS Edge, Apple’s Safari, and Mozilla’s Firefox) are forcing Web sites to confirm to the more secure way of exchanging information, known as the https protocol. The https protocol requires a lower level communication protocol known as SSL (Secure Socket Layer), which needs a way to exchange trust during the initial connection phase, also known as handshaking.

Trust between the client (e.g. Chrome) and the server (your favourite Website) is established by a method known as key-exchange. Without going into its intricate details, the key-exchange establishes that all future communication between the browser and the server cannot be compromised or stolen by a third-party. The key involved in the handshake is call the certificate.

What is a certificate authority?

By modern security standard, having an uncompromised connection is still not enough to protect users against malicious Websites. Connecting to a malicious website securely is the same as talking to a criminal privately. In a truly secure world, users can be certain of the authenticity and the true identity of the websites they are connecting to.

So, enters the CAs (certificate authority). A CA is a trusted thirdparty that provides the certificates that cannot be forged, and can be verified by both the server and the client. If a server is granted a CA-signed certificate, then all clients connecting to the server can rest assured of both communication privacy and the server legitimacy.

What is a self-signed certificate?

In many scenarios, the system may only require secure communication, and not server identity verification. For example, if both the client and the server are restricted behind an enterprise wirewall, then CA signed certificate is not required. Another scenario is if the server is running on a non-standard port. Since many CA only supports https on port 80 and 443, any web server on higher ports must abandon the hope of using a CA signed certificate.

This is when we would use a self-signed certificate during the handshake. The server can generate its own key to ensure secure communication with its clients. But its clients cannot establish server identity.

Unfortunately, browsers are not friendly to websites that rely on self-signed certificates.

A warning from Safari.

image.png

A warning from Chrome

image.png

Coping with self-signed certificates

If you have confidence in the authenticity of the web server, then you can force Chrome to ignore any cerficate issues.

Google Chrome provides a number command-line flags to modify Chrome’s runtime behaviour. The --ignore-certificate-errors will suppress errors caused by self-signed certificates.
You must launch Chrome from the command line shell, let it be Windows, Linux or Mac OS.

IMPORTANT NOTE

You must ensure that no instances of Chrome are already running. If Chrome is already started, the start-up commands will simply reuse the existing instance of Chrome, which will continue to check for a CA-signed certificate.

So make sure you exist any existing running Chrome instances.

Mac OS

/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ignore-certificate-errors