Since 10 November our faculty has a new website! The old website will still be available at oldwww.fi.muni.cz for now. Something is broken? Please report it to webmaster@fi.muni.cz or use our webform.

translated by Google

Purpose of the certificate, HTTPS

Faculty administration , more precisely her personal part , is a site that contains confidential data, so HTTP browser-to-server traffic (HTTPS) is being enforced when it is served. Because there are ways in the Internet for an authentic server (here server fadmin.fi.muni.cz) to be issued to an unauthorized third party, the HTTPS protocol uses a system of so-called certificates by which the server you sign in to sign in secret password, proves his / her identity.

The certificate, however, is nothing more than a string of nulls and nil, and for one thing, authenticity can not be verified from the point of view - copies of one bit sequence are not distinguishable (even from the "original", thereby losing the concept of digital meaning on the computer). That's why the certificate is digitally signed by a trusted authority, which as the only one can create a signature and clearly confirms that the certificate is authentic and not spurious. But even trusted authority is just a bunch of bits on the computer that can be fooled. Someone can claim to be "FI MU" and he can sign certificates with that name. The fact that the digital signature of the actual MU MU would look different, you have no way to verify if you have not seen the signature of the real MU MU. Only then can you verify by checking the signature that the server certificate that is reported as fadmin.fi.muni.cz is genuine or fake. You can, of course, also compare the certificates themselves.

As has been said, all HTTPS security is that you know in advance what the true signature FI should be (formally the so-called certificate authority signature certificate - in the case of fadmin.fi.muni.cz is the certification authority "TERENA SSL CA") , respectively. how to look for the right certificate , which shows the right server fadmin.fi.muni.cz. However, if we consider the Internet to be generally untrustworthy (hence, there is also a whole complicated overhead of certificates), how do we get the right signature?

The answer is simple: once you have to risk it (there is also an alternative to downloading the certificate from elsewhere - see the end of this page - but it has similar security gaps). Certificates and signatures, of course, remember you with an internet browser. So when your browser first navigates to the encrypted part of the Faculty Administration site, the browser will warn you that you are joining a fadmin.fi.muni.cz server that will ask you for a secret password and who claims to be the team right server fadmin.fi.muni.cz and it is documented with the attached certificate. For one thing, you'll have to rely on being contacted by the actual faculty server, submitting the certificate presented, and letting your browser remember it. With all subsequent access to the given server, the browser will automatically compare the certificate offered by the server with the remembered certificate.

For this first meeting with the new server, choose a network environment to minimize the chances of faculty server failure. Ideal is access directly from within the faculty network (only possible with laptops and other mobile devices) and using faculty DNS servers (DNS service running on aisa.fi.muni.cz server will probably answer even when accessing from anywhere from the Internet).

Certificates FI

In order to be a little more confident that you accept the right one, we present the SHA-1 fadmin.fi.muni.cz certificate here (and at the same time the signature of the FI Administration's signature certificate). The likelihood that someone will override the identity of the fadmin.fi.muni.cz server and at the same time somehow attacks this website is already very little. We recommend that you check if your SHA-1 fingerprint matches the values ​​listed below during the initial import of the certificate.

Server fadmin.fi.muni.cz
B1:46:29:0D:E1:5B:5B:69:1D:89:FC:0D:A6:E0:76:77:F5:AE:CA:70
Server www.fi.muni.cz
35:6F:BD:99:E5:48:2C:28:5A:1E:96:43:A0:94:40:B5:B3:8B:ED:91
Server chat.fi.muni.cz
7F:97:1D:9D:19:0A:81:89:A6:4A:C0:3C:E4:76:86:68:D7:C0:C2:AF
Server svn.fi.muni.cz
CC:8A:4A:6C:54:C7:CC:E8:60:1D:D8:6A:43:5E:4C:16:A9:0E:DB:58
Certification authority
AddTrust External CA Root
02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
UTN-USERFirst-Hardware
3D:4B:2A:4C:64:31:71:43:F5:02:58:D7:E6:FD:7D:3C:02:1A:52:9E
TERENA SSL CA
3A:88:17:64:47:2B:64:41:DD:B3:AF:DD:47:C6:B8:B7:6E:E7:BA:1D

As indicated above, it is possible to download the authority's signature certificate (which will then credibly mark server certificates for the right / false) in the browser before the first access to the faculty administration. To import, click the following links:

Certification Authority FI

In general, you can do with importing and using the above certificates. For some services, however, for technical reasons, it is not simply possible to use this "more formal" certification authority. These are, for example, information systems of other schools run by the Faculty of Informatics. In such cases, the following certification authority of the Faculty of Informatics is used:

Faculty of Informatics CA
3A:42:17:BF:27:19:2E:15:52:C2:E7:61:85:FD:B4:CA:83:F9:9D:D0

Conclusion

It should be added that this route does not bear any security bonus: again there is a web server (also fadmin.fi.muni.cz), whose identity or content could be scorned, which you do not have to know explicitly. It is the same "first encounter" with the same risks.