 |
 Previous
|
Glossary |
Topics |
This document contains these sections:
Internet Security Issues
Communication over the Internet uses the Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP allows information to be sent from one computer to another through a variety of intermediate computers and separate networks before it reaches its destination. The great flexibility of TCP/IP has led to its worldwide acceptance as the basic Internet communications protocol. At the same time, the fact that TCP/IP allows information to pass through intermediate computers makes it possible for people to interfere with your communications in the following ways:Encryption and Decryption
Encryption is the process of scrambling information so it is unintelligible to anyone but the intended recipient. Decryption is the process of unscrambling encrypted information so that it is intelligible again. A cryptographic algorithm, also called a cipher, is a set of rules or directions used to encrypt or decrypt data. In most cases, two related algorithms are employed, one for encryption and the other for decryption. With most modern cryptography, the ability to keep encrypted information secret is based not on the cryptographic algorithm, which is widely known, but on a number called a key that must be used with the algorithm to produce an encrypted result or to decrypt previously encrypted information. Decryption with the correct key is simple. Decryption without the correct key is very difficult, and in some cases impossible for all practical purposes. In general, the strength of encryption is related to the difficulty of discovering the key, which in turn depends on both the cipher used and the length of the key. For example, the difficulty of discovering the private key for the RSA cipher typically used for public-key encryption (described in the next section) depends on the difficulty of factoring large numbers, a well-known mathematical problem.Public-Key Cryptography
Public-key cryptography is a set of well-established techniques and standards that allow a person or other entity to verify its identity electronically and to encrypt and decrypt electronic data. It involves a pair of keys—a public key and a private key—associated with that identity. The most commonly used implementations of public-key cryptography are based on algorithms patented by RSA Data Security. The examples used here describe the RSA approach. Each public key is published, and the corresponding private key is kept secret. Data encrypted with your public key can be decrypted only with your private key. Figure 1 shows a simplified view of the way public-key encryption works.Figure 1 Public-key encryption
Digital Signatures
Encryption and decryption address the problem of eavesdropping, one of the three Internet security issues mentioned at the beginning of this section. But encryption and decryption, by themselves, do not address the other two problems mentioned in Internet Security Issues: tampering and misrepresentation. This section describes how public-key cryptography addresses the problem of tampering. The section that follows describes how public-key cryptography addresses the problem of misrepresentation. Tamper detection and related authentication techniques involve a special code called a digital signature. A digital signature is derived from both the data to be signed and the private key of the signer, and is unique (for all practical purposes) for each new piece of data that is signed. A digital signature has nothing to do with a handwritten signature, although it can sometimes be used for similar legal purposes. Digital signatures make use of a mathematical function called a one-way hash (also called a message digest). A one-way hash function produces a number called a one-way hash that has the following characteristics:Figure 2 Using a digital signature to validate data integrity
Certificates
A certificate is an electronic document used to identify an individual, a server, a company, or some other entity and to associate that identity with a public key. Like a driver's license, a credit card, a passport, or other commonly used personal IDs, a certificate provides generally recognized proof of a person's identity. Public-key cryptography uses certificates to address the problem of misrepresentation (see Internet Security Issues). To get a driver's license, you typically apply to a government agency, such as the Department of Motor Vehicles, which verifies your identity, your ability to drive, your address, and other information before issuing the license. To get a credit card, you apply to a company that performs a credit check before issuing the ID. To get a library card, you may need to provide only your name and a utility bill with your address on it. Certificates work much the same way as any of these familiar forms of identification. Certificate authorities (CAs) validate identities and issue certificates. They can be either independent third parties or organizations running their own certificate-issuing server software (such as Personal Security Manager). The methods used to validate an identity vary depending on the policies of a given CA—just as the methods to validate other forms of identification vary depending on who is issuing the ID and the purpose for which it will be used. In general, before issuing a certificate, the CA must use published verification procedures to ensure that people or other entities requesting certificates are in fact who they claim to be. The certificate issued by a CA binds a particular public key to the name of the person or other entity the certificate identifies (such as the name of an employee). Certificates help prevent the use of fake public keys for impersonation. Only the public key certified by the certificate will work with the corresponding private key possessed by the person or other entity identified by the certificate. In addition to a public key, a certificate always includes the name of the person or other entity it identifies, an expiration date, the name of the CA that issued the certificate, a serial number, and other information. Most importantly, a certificate always includes the digital signature of the issuing CA. The CA's digital signature allows the certificate to function as a "letter of introduction" for users who know and trust the CA but don't know the person or other entity identified by the certificate.Web Site Identity Not Verified—Connection Not Encrypted
If you click the Security button when you are viewing a web page that does not support authentication or encryption, Personal Security Manager displays panels with these boldface headings:Web Site Identity Verified—Connection Encrypted
If you click the Security button when you are viewing a web page that has been successfully authenticated and encrypted, Personal Security Manager displays panels with these boldface headings:Web Site Identity Conditionally Verified—Connection Encrypted
If you click the Security button when you are viewing a web page that has been conditionally authenticated and successfully encrypted, Personal Security Manager displays panels with these boldface headings:Web Site Identity Verified—Connection Not Encrypted
If you click the Security button when you are viewing a web page that has been successfully authenticated but has not been encrypted, Personal Security Manager displays panels with these boldface headings:Web Site Conditionally Verified—Connection Not Encrypted
If you click the Security button when you are viewing a web page that has been conditionally authenticated but not encrypted, Personal Security Manager displays panels with these boldface headings:Message Has No Digital Signature—Message Not Encrypted
If you click the lock icon when you are viewing a message that is neither digitally signed nor encrypted, Personal Security Manager displays panels with these boldface headings:Message Is Signed—Message Is Encrypted
If you click the lock icon when you are viewing a message that has a valid signature and is also encrypted, Personal Security Manager displays panels with these boldface headings:Message Is Signed—Message Not Encrypted
If you click the lock icon when you are viewing a message that has a valid digital signature but has not been encrypted, Personal Security Manager displays panels with these boldface headings:Digital Signature Is Not Valid—Message Is Encrypted
If you click the lock icon when you are viewing a message that has an invalid digital signature but has been successfully encrypted, Personal Security Manager displays panels with these boldface headings:Message Has No Digital Signature—Message Cannot Be Decrypted
If you click the Security button when you are viewing a message that cannot be decrypted, Personal Security Manager displays a panel with these boldface headings:Digital Signature Is Not Valid—Message Not Encrypted
If you click the Security button when you are viewing a message that has an invalid digital signature and has not been encrypted, Personal Security Manager displays panels with these boldface headings:Message Can Be Signed—Message Can Be Encrypted
If you click the Security button or the lock icon when you are composing a message that can be signed and encrypted, Personal Security Manager displays panels with these boldface headings:Message Can Be Signed—Message Cannot Be Encrypted
If you click the Security button or the lock icon when you are composing a message that can be signed but not encrypted, Personal Security Manager displays panels with these boldface headings:Message Cannot Be Signed—Message Cannot Be Encrypted
If you click the Security button or the lock icon when you are composing a message that cannot be signed or encrypted, Personal Security Manager displays panels with these boldface headings:Message Cannot Be Signed—Message Can Be Encrypted
If you click the Security button or the lock icon when you are composing a message that can be encrypted but not signed, Personal Security Manager displays panels with these boldface headings:Message Not To Be Signed—Message Not to Be Encrypted
If you click the Security button or the lock icon when you are composing a message that is not going to be signed or encrypted, Personal Security Manager displays panels with these boldface headings:Message Not To Be Signed—Message Can Be Encrypted
If you click the Security button or the lock icon when you are composing a message that is not going to be signed and can be encrypted, Personal Security Manager displays panels with these boldface headings:Message Not To Be Signed—Message Cannot Be Encrypted
If you click the Security button or the lock icon when you are composing a message that is not going to be signed and cannot be encrypted, Personal Security Manager displays panels with these boldface headings:Message Can Be Signed—Message Not to Be Encrypted
If you click the Security button or the lock icon when you are composing a message that can be signed and is not to be encrypted, Personal Security Manager displays panels with these boldface headings:Message Cannot Be Signed—Message Not to Be Encrypted
If you click the Security button or the lock icon when you are composing a message that can cannot be signed and is not to be encrypted, Personal Security Manager displays panels with these boldface headings:Navigator Warnings
It's easy to tell when the web site you are viewing is using an encrypted connection. If the connection is encrypted, the lock icon in the lower-left corner of the Navigator window is locked. If the connection is not encrypted, the lock icon is unlocked. For many people, the lock icon provides sufficient information about a page's encryption status. If you want additional warnings, you can select one or more of the warning checkboxes in the Navigator section of the Applications tab. Think carefully about whether you want such warnings, since they can be annoying. These are the choices you can make about Navigator warnings:Selection of Certificate
Personal Security Manager maintains a certificate store of available certificates that belong to you, just as you can carry different credit cards or other pieces of identification that are used for different purposes. To view these certificates, click the Certificates tab, then click Mine. You can choose how Navigator selects a certificate to identify you to a web site:Security Options for Sending Mail
If you have certificates for all recipients of a message, Messenger can encrypt that message when you send it. (Otherwise, the message cannot be encrypted.) If you always want Messenger to encrypt messages that can be encrypted, select "Encrypt mail messages whenever possible." Certificate Fetching describes how to use Personal Security Manager to fetch certificates automatically for recipients of a message that you want to encrypt. If you have a valid certificate for yourself, you can digitally sign all your mail messages. To do so, select "Sign mail messages whenever possible." If you have a valid certificate for yourself, you can also digitally sign all your discussion messages. To do so, select "Sign discussion messages whenever possible."Certificate for Signing Mail
Personal Security Manager maintains a certificate store that may include several different certificates that belong to you, just as you may carry different credit cards or other pieces of identification that are used for different purposes. The drop-down menu labeled "Select a security certificate to use for signing mail:" allows you to select the certificate you want Personal Security Manager to use for signing your mail messages.Certificate Fetching
If you don't have certificates for all recipients of a message that you want to encrypt, Personal Security Manager can automatically fetch their certificates (if available) from a specified directory at the time that you send the message. Automatic certificate fetching won't work unless you have specified a directory server to search in. To do so, choose Preferences from the Edit menu, then click Addressing under Mail & Newsgroups. In the right panel, click Directory Server under Pinpoint Addressing, select the directory you want to use from the drop-down menu, and click OK. Personal Security Manager uses this directory to search for any missing certificates when you click the Send button in a composition window for an encrypted message. If the directory you want doesn't show up in the Pinpoint Addressing drop-down menu, you can add it to the list using the Communicator Address Book. To do so, choose Address Book from the Communicator menu, then choose New Directory from the File menu. Add information about the directory you want to add in the window that appears. Once the directory has been added to the Address book, you can specify it in your Communicator preferences as described above.Reset All Privileges
When you click the Reset All Privileges button, the Reset All Privileges window appears. If you attempt to run any applets or scripts that require special access privileges after you reset all privileges, you will be asked to grant or deny privileges, even if you have previously made this decision.Work with Certificates that Identify You
To perform any of the actions listed here, select the certificate on which you want to act and follow the instructions:Choose a Personal Security Password
Your Personal Security Password protects keys associated with your identity, such as the key that protects your stored passwords or a private key associated with a certificate. These keys are stored on a security device, such as the default device maintained internally by Personal Security Manager (called PSM Private Keys security device) or an external smart card. The Personal Security Password for the default PSM Private Keys security device also protects your master key, which is a special key used by Personal Security Manager to encrypt information on behalf of other applications. For example, Netscape 6 uses Personal Security Manager and your master key to encrypt email passwords, web site passwords, and other stored sensitive information. If someone uses your computer who knows or can guess the Personal Security Password for any security device available to Personal Security Manager, that person may be able to email or access web sites while pretending to be you. This can be dangerous—for example, if you digitally sign important email messages or manage your financial accounts over the Internet. Therefore, it's important to select a Personal Security Password that is difficult to guess. For help creating a password that's hard to guess, see Choose a Good Password. It's also important to record your Personal Security Password in a safe place—and not anywhere that's easily accessible to someone else. If you forget this password, you may not be able to access important information, such as web sites that require passwords or certificates or encrypted mail stored on your computer. For more information about the consequences of losing your Personal Security Password, see What To Do If You Forget Your Personal Security Password. For instructions on controlling the frequency with which Personal Security Manager requests your password, see Set the Frequency of Password Requests. Note that each security device requires a separate Personal Security Password. For example, if you are using one or more smart cards to store some of your certificates, you must set a separate Personal Security Password for each one.Choose a Good Password
Good passwords have the following characteristics:Set the Frequency of Password Requests
The Personal Security Password window also allows you to set how often Personal Security Manager requires your Personal Security Password. Here are some things you should consider when selecting these options:What To Do If You Forget Your Personal Security Password
The consequences of forgetting your Personal Security Password vary depending on your use of certificates and, if you are using Netscape 6, your use of the Password Manager:Choose a Portable Security Password
A portable security password protects one or more certificates that you are backing up using the Backup or Backup All button in the Mine section of the Certificates tab. Personal Security Manager asks you to set a portable security password when you back up certificates, and requests it when you attempt to restore certificates that have previously been backed up. Important: When you click the Backup All button, Personal Security Manager attempts to back up all of your certificates associated private keys stored on the default PSM Private Keys security device. Certificates backed up in this manner cannot be restored unless you are using a browser that has Personal Security Manager installed, or unless you are using Communicator 4.71 or later. The Backup All button does not back up any certificates that are stored on security devices other than the default PSM Private Keys device. For example, Backup All will not back up any certificates in the list that are stored on a smart card inserted in a smart card reader attached to your computer. Certificates stored on security devices other than PSM Private Keys must each be backed up individually by selecting the name of the certificate and clicking the Backup button. If someone obtains the file containing a certificate that you have backed up and successfully restores the certificate, that person can send messages or access web sites while pretending to be you. This can have negative consequences, for example, if you digitally sign important email messages or manage your bank or investment accounts over the Internet. Therefore, it's important to select a Portable Security Password that is difficult to guess. It's also important to record the password in a safe place—and not anywhere that's easily accessible to someone else. If you forget this password, you can't restore the backup of your certificate. For help in choosing a good password, see Choose a Good Password.Delete My Certificate
Before deleting a certificate—even one that has expired—make sure that you won't need it again some day. For example, you can use your own expired certificate for reading old email messages that you may have encrypted with the corresponding private key. If you delete someone else's certificate and then attempt to read email messages it was used to encrypt, your email software may not run correctly.Work with Others' Certificates
To perform any of the actions listed here, select the certificate on which you want to act and follow the instructions:Edit Certificate Settings for Others' Certificates
When you select someone else's certificate and click Edit, you see a window titled Edit Security Certificate Settings. Here you specify whether you want to trust the selected certificate to identify messages from and send encrypted email messages to the email address shown.Add Someone Else's Certificate to Your Certificate Store
When you click Add in the Others section of the Certificates tab, you see a window called Add Security Certificate. This window allows you to search for certificates in a directory and add them to your certificate store. If the directory you want to search doesn't show up in the drop-down menu labeled "Directory to search", add it to your list of directories using the Communicator Address Book. To do so, choose Address Book from the Communicator menu, then choose New Directory from the File menu. Enter the requested information about the directory you want to add. Once the directory has been added to the Address book, it appears in the drop-down menu in the Add Security Certificate window. After you specify the directory to search, type the email address of the person whose certificate you want to find. When you click OK, Personal Security Manager searches for a certificate corresponding to the address you typed. If it finds a valid certificate, Personal Security Manager adds it to your certificate store. If more than one valid certificate is available, Personal Security Manager adds the one issued most recently. If Personal Security Manager can't find a certificate matching the email address you specified, you may have typed it incorrectly. To try again, click Add again. If Personal Security Manager still can't locate the certificate, you can obtain it by asking the person whose certificate you want to send you a signed email message. The certificate whose corresponding private key was used to create the digital signature is automatically sent with any signed message, and Personal Security Manager automatically adds it to your certificate store.Delete Someone Else's Certificate
Before deleting someone else's certificate, make sure you won't need it again some day to send encrypted email to that person or to verify digital signatures on messages from that person.Edit Web Site Certificate Settings
When you select a web site certificate and click Edit, you see a window titled Edit Security Certificate Settings. Here you specify whether you want to trust the selected certificate for identifying the web site and setting up an encrypted connection with it.Delete Web Site Certificate
Before deleting a certificate, make sure that you won't need it again for the purposes of identifying a web site and setting up an encrypted connection.Edit CA Certificate Settings
When you select a CA certificate and click Edit, you see a window titled Edit Security Certificate Settings. Here you specify the kinds of certificates you trust this CA to certify. If you deselect all the checkboxes, Personal Security Manager will not trust any certificates issued by this CA.Delete Authority Certificate
Before deleting a CA certificate, make sure that you won't need it again to validate certificates issued by that CA. If you delete the only valid certificate you have for a CA, Personal Security Manager will no longer trust any certificates issued by that CA. For example, it will no longer be possible to validate the digital signatures for email messages you have received that were signed with the aid of a certificate issued by that CA.Add New Security Module
When you click the Add button below the list of modules, the Add New Security Module window appears. You provide the name of the module and the filename and location of the file on your hard disk, then click Install. Before you can add a PKCS #11 module to the list of modules maintained by Personal Security Manager, you must first install the module on your computer and if necessary connect any associated hardware device. The instructions that come with such a device should provide both the name of the module and information about how to install the software and connect the hardware.For more information about PKCS #11 modules, see Modules.
Enable FIPS Mode
Federal Information Processing Standards Publications (FIPS PUBS) 140-1 is a US government standard for implementations of cryptographic modules—that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures). Many products sold to the US government must comply with one or more of the FIPS standards. When you click the Enable button in the Modules panel of the Advanced tab, FIPS-mode, Personal Security Manager begins operating according to FIPS PUBS 140-1 and the Enable button changes to Disable. To disable FIPS-mode, click Disable.SSL Settings
The Secure Sockets Layer (SSL) protocol defines rules governing mutual authentication between a web site and browser software and the encryption of information that flows between them. The Transport Layer Security (TLS) protocol is an IETF standard based on SSL.TLS 1.0 can be thought of as SSL 3.1. You should normally leave both SSL checkboxes and the TLS checkbox in the Options panel selected to ensure that both older and newer web servers can support authentication and encryption with Personal Security Manager. Some servers that do not implement SSL correctly cannot negotiate the SSL handshake with client software (such as Personal Security Manager) that supports TLS. To allow Personal Security Manager to use SSL with such TLS-intolerant servers, click the "Enable TLS" checkbox to deselect it.OCSP Settings
The Online Certificate Status Protocol (OCSP) makes it possible for Personal Security Manager to perform an online check of a certificate's validity each time the certificate is viewed or used. This process involves checking the certificate against a certificate revocation list (CRL) maintained at a specified web site. Your computer must be online for OCSP to work. To specify how Personal Security Manager uses OCSP, you click OCSP Settings in the Options panel of the Advanced tab. You can choose one of these settings:View Security Certificate
The View Security Certificate window displays information about the certificate you selected in one of the panels available under the Certificate tab. You can also click View More Info in the top right corner of the window to see a complete text version of the certificate (normally of interest to IS professionals only). The View Security Certificate window shows the following information about the selected certificate:View Certificate Details
When you click View More Info in the upper-right corner of the View Security Certificate window, a View Certificate Details window opens that displays the complete contents of the certificate. This information is normally of interest to IS professionals only. Personal Security Manager displays basic ANSI types in human-readable form wherever possible. For fields whose contents it cannot interpret, Personal Security Manager simply displays the actual values contained in the certificate.View Security Certificate—Issuer Not Found
When you click the name of a certificate's issuer (labeled "Issued Under:") in the View Security Certificate window, a new View Security Certificate window opens with information about the issuer's certificate—unless that certificate is not available in the certificate store maintained by Personal Security Manager. In this case, the new window informs you that the issuer's certificate could not be found.Encryption Key Copy
Certificate authorities (CAs) that issue separate signing and encryption email certificates typically make backup copies of your private encryption key during the certificate enrollment process. Separate signing and encryption certificates require client software that supports dual key pairs for use in signing and encrypting email. It's important to understand that a CA that has archived a backup copy of your encryption key has the potential capability of decrypting any messages encrypted with your public key. If you trust your CA with this capability, click OK. After your CA makes a backup copy of the encryption key, you will be able to use that key to access your encrypted mail even if you lose your password or lose your own copy of the key. If no backup copy of your encryption key exists and you lose your password or the key, you will have no way of reading any of your encrypted email messages. If you don't trust the CA that is requesting the backup copy, don't request a certificate from it. Click Cancel to stop both the backup procedure and the request for a certificate. If you are not sure whether to trust the CA that is requesting the backup copy, talk to your system administrator.Security Certificate Backup
When you receive a certificate, make a backup copy of the certificate and its private key, then store the copy in a safe place. For example, you can put the copy on a floppy disk and store it with other valuable items under lock and key. That way, even if you have hard disk or file corruption problems, you can easily restore the certificate. It can be inconvenient, at best, and in some situations catastrophic to lose your certificate and its associated private key, depending on what you use it for. For example:User Identification Request
Some web sites require that you identify yourself with a certificate rather than a name and password, because certificates provide a more reliable form of identification. However, Personal Security Manager may have more than one certificate that can be used for the purposes of identifying yourself to a web site. In this case, Personal Security Manager presents the User Identification Request window, which allows you to select the appropriate certificate for the web site you want to visit. Web sites can also use certificates to identify themselves. The certificate presented by the web site you want to visit is displayed in the top part of this window. The information provided includes the name of the CA that issued the certificate (labeled "Issued Under"). The certificates you have available for the purposes of identifying yourself to a web site are listed in the drop-down menu in the bottom part of the window. Choose the certificate that seems most likely to be recognized by the web site you want to visit. For short definitions, click certificate or client authentication. For an overview of Personal Security Manager and network security concepts, see Introduction to Personal Security Manager.Choose Security Certificate
The Choose Security Certificate window appears when Personal Security Manager has more than one certificate with the same name in its certificate store. Use this window to select the certificate you want to use. For example, if there are several certificates with the same name but different validity periods, you would normally want choose the one most recently issued.New Web Site Certificate
Many web sites use certificates to identify themselves when you visit the site. If Personal Security Manager doesn't recognize the certificate authority (CA) that issued a web site's certificate, it displays the following windows:Expired Web Site Certificate
Like a credit card, a driver's license, and many other forms of identification, a certificate is valid for a specified period of time. When a certificate expires, the owner of the certificate needs to get a new one. Personal Security Manager displays the Expired Web Site Certificate window when you attempt to visit a web site whose certificate has expired. As the window explains, the first thing you should do is make sure the time and date displayed by your computer is correct. If your computer's clock is set to a date that is after the expiration date, Personal Security Manager treats the web site's certificate as expired. You can examine information about the certificate, including its validity period, by clicking the View button. The decision whether to trust the site anyway depends on what you intend to do at the site and what else you know about it. Most commercial sites will make sure that they replace their certificates before they expire. If you believe the certificate's expiration is an inadvertent error, you may want to accept the certificate anyway for this session and let the webmaster for the site know about the problem. If you suspect that there may be a more significant problem, either accept the certificate and be cautious about any actions you take while you are visiting the site, or do not accept the certificate (in which case Personal Security Manager will not connect you to the site). For an overview of Personal Security Manager and network security concepts, see Introduction to Personal Security Manager.Web Site Certificate Not Yet Valid
Like a credit card, a driver's license, and many other forms of identification, a certificate is valid for a specified period of time. Personal Security Manager displays the Web Site Certificate Not Yet Valid window when you attempt to visit a web site whose certificate's validity period has not yet started. The first thing you should do is make sure the time and date displayed by your own computer is correct. If your computer's clock is set to the wrong date, Personal Security Manager may treat the web site's certificate not yet valid even if this is not the case. You can examine information about the certificate, including its validity period, by clicking the View button. The decision whether to trust the site anyway depends on what you intend to do at the site and what else you know about it. Most commercial sites will make sure that the validity period for their certificates has begun before beginning to use them. If you believe the certificate's expiration is an inadvertent error, you may want to accept the certificate anyway for this session and let the webmaster for the site know about the problem. If you suspect that there may be a more significant problem, either accept the certificate and be cautious about any actions you take while you are visiting the site, or do not accept the certificate (in which case Personal Security Manager will not connect you to the site). For an overview of Personal Security Manager and network security concepts, see Introduction to Personal Security Manager.Unexpected Certificate Name
A web site certificate specifies the name of the web site in the form of the site's host name. For example, the host name for Netscape Netcenter is home.netscape.com. If the host name in a web site's certificate doesn't match the actual host name of the web site, it may be a sign that someone is attempting to intercept your communication with the web site. The decision whether to trust the site anyway depends on what you intend to do at the site and what else you know about it. Most commercial sites will make sure that the host name for a web site certificate matches the web site's actual host name. If you decide to accept the certificate anyway for this session, you should be cautious about what you do on the web site, and you should treat any information you find there as potentially suspect. For an overview of Personal Security Manager and network security concepts, see Introduction to Personal Security Manager.