translated by Google

Machine-translated page for increased accessibility for English questioners.

Purpose of certificate, HTTPS

Faculty administration more precisely hers personal part is a site that contains confidential information, and therefore, when it is displayed, HTTP browser-to-server encryption (HTTPS) is enforced. Because there are some ways that an unauthorized third party might impersonate an authentic server (here fadmin.fi.muni.cz), the HTTPS system uses so-called certificates that you use to sign in to your server secret password, proving his identity.

However, a certificate is nothing more than a chain of ones and zeros, and something like that cannot be authenticated from view - copies of a single bit sequence are indistinguishable from each other (not even from the "original", which in digital information on a computer loses this sense of meaning). Therefore, the certificate is digitally signed by a trusted authority that is the only one who can create a signature and unambiguously confirms that the certificate is authentic and not fake. However, even a trusted authority in a computer is just a bunch of bits that can be forged. Some may claim to be "FI MU" and sign certificates on that behalf. The fact that the digital signature of a real FI MU would look different, you have no way to verify if you have never seen the signature of a real FI MU. Only then can you compare the signature to really verify that the server certificate, which is reported as fadmin.fi.muni.cz, is genuine or fake. Of course, you can also compare the certificates themselves.

As mentioned, all HTTPS security is based on the fact that you know in advance what the true signature of the FI should look like (the so-called certification authority's signature certificate - in the case of fadmin.fi.muni.cz, the certification authority is "TERENA SSL CA") , respectively. what should be the real certificate , which proves the right server fadmin.fi.muni.cz. However, if we consider the Internet generally untrustworthy (that is why there is a whole complex overhead around certificates), how to get a genuine signature?

The answer is simple: you have to take the risk once (there is also an alternative to downloading the certificate from elsewhere - see the end of this page - but it has similar security gaps). Of course, certificates and signatures are remembered by your Internet browser. So, when you first direct your browser to the encrypted section of the Faculty Administration website, the browser will warn you that you are connecting to a server called fadmin.fi.muni.cz that will ask you to enter a secret password and claim to be real server fadmin.fi.muni.cz and it proves it by enclosed certificate. For once you will have to rely on the fact that you have contacted the real faculty server, accept the presented certificate and let your browser remember it. With all subsequent accesses to a given server, the browser will automatically compare the certificate offered by the server with the one remembered.

For this first meeting with a new server, choose a network environment to minimize the chances of forgery of the faculty server. The ideal access is from inside the faculty network (of course, only with laptops and other mobile devices) and using faculty DNS servers (the DNS service running on the server aisa.fi.muni.cz will probably answer even when accessing from anywhere on the Internet).

FI certificates

To make sure that you are accepting the right certificate for the first time you receive the certificate, here is the SHA-1 fingerprint of the certificate fadmin.fi.muni.cz (and also the fingerprint of the FI Administration's signature certificate). The likelihood of someone spoofing the identity of the server fadmin.fi.muni.cz and at the same time somehow attacking this website is already completely scarce. We recommend that you check that the SHA-1 fingerprint matches the values below when you first import the certificate.

Server fadmin.fi.muni.cz
B1:46:29:0D:E1:5B:5B:69:1D:89:FC:0D:A6:E0:76:77:F5:AE:CA:70
Server www.fi.muni.cz
35:6F:BD:99:E5:48:2C:28:5A:1E:96:43:A0:94:40:B5:B3:8B:ED:91
Server chat.fi.muni.cz
7F:97:1D:9D:19:0A:81:89:A6:4A:C0:3C:E4:76:86:68:D7:C0:C2:AF
Server svn.fi.muni.cz
CC:8A:4A:6C:54:C7:CC:E8:60:1D:D8:6A:43:5E:4C:16:A9:0E:DB:58
Certification Authority
AddTrust External CA Root
02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
UTN-USERFirst-Hardware
3D:4B:2A:4C:64:31:71:43:F5:02:58:D7:E6:FD:7D:3C:02:1A:52:9E
TERENA SSL CA.
3A:88:17:64:47:2B:64:41:DD:B3:AF:DD:47:C6:B8:B7:6E:E7:BA:1D

As indicated above, it is possible to download the authority's signing certificate (which will credibly mark server certificates as true / false) to the browser before the first access to the Faculty Administration. To import, click these links:

FI Certification Authority

Generally, it is sufficient to import and use the above certificates. However, for some services it is simply not possible to use this "more official" certification authority for technical reasons. These are, for example, information systems of other schools operated by the Faculty of Informatics. In such cases, the following certification authority of the Faculty of Informatics is used:

Faculty of Informatics
3A:42:17:BF:27:19:2E:15:52:C2:E7:61:85:FD:B4:CA:83:F9:9D:D0

For server use we add certificate in pem format:

Conclusion

It should be added that this path does not bring any security bonus: again there is a web server (coincidentally also fadmin.fi.muni.cz), whose identity or content may have been forged, which you have no way to ascertain explicitly. It is the same "first encounter" with the same risks.