Wednesday, 18 February 2015
How-to: Understand Website 'Identity Information'
...or more precisely, when a reputable website such as Wordpress.com displays a warning triangle and the message: "this site does not supply identity information."
You may notice the warning triangle in the address bar on sites which use the HTTPS, SSL and TLS protocol and certificates, and get the message when you scroll over it. Wordpress? Really?
Let's replay Internet Security-101, with apologies to the technically 'ept' (not the 'inept').
The "identity information" is normally provided when secure site certificate is presented to your browser. Connecting to a site's secure server, denoted by the "https" address prefix, the encrypted certificate is supposed to ensure authentication. Regular HTTP traffic is not encrypted, doesn't authenticate and doesn't worry about "identity information." This is how most of the Internet used to work before the increase of hacking, and why so many more sites
have switched to SSL or TLS connections under encrypted certificates, not just e- commerce, banking, and log-in pages to account-based services.
SSL also ensures traffic is unchanged end-to-end as it is transmitted, so what you get is un-tampered.
So why does a site like Wordpress.com suddenly throw that warning triangle and the message: "this site does not supply identity information?"
For one thing, it is not the whole site. Wordpress.com consists of millions of sub-domains, all sat under the wordpress.com main HTTPS SSL certificate. Go to https://wordpress.com/ root URL and it is perfectly fine. Go to a sub-domain such as https://everythingexpress.wordpress.com/ and the warning appears. Why?
Usually you will get that warning when the site is displaying mixed content, by which we mean the site is using files not located in its own directory or own server. So for https://everythingexpress.wordpress.com/ I can tell you all the article images being displayed actually sit on Google Picasa; rather than upload all the images to the Wordpress server, we link across to the master files on Picasa.
However, the browser is checking not only the host site identity, but also the secondary site identity when there's external content being loaded from outside the host. Now while Picasa also uses HTTPS under a certificate and has its own identity, that does not match the credentials presented for https://everythingexpress.wordpress.com/ - that's if the Picasa credentials even make it through the call, which for this type of simple content call, they wouldn't.
In this example, I'm not going to worry; but then it's from one of my sites, and I know what's on there.