Browser Security

I could not have had my first internship at a better time. Does everyone remember the year 2012, when smartphones were still a young, hot thing. A good mix of us were still lugging around flip phones, Motorola Razrs, and the iPhone 4S. During that very year, the mobile device market was popping out all sorts of crazy new smartphones with various Android, iOS, and yes… Windows Phone. That is still happening to this day, however, the difference between now and then, is SSL certificate managers weren’t yet ready to support SSL certificates in those cases.

In some cases, you might have visited a website from your phone via the https protocol, but was suddenly alluded to a bad certificate error. Even though the browser stopped you in your tracks and blamed the server for improper certificate configuration, the fact of the matter may have actually been that the certificate authority of that server may not have yet supported your device and/or browser. Big difference.

So what was my job? I got to build a front end service that loaded an image from every known certificate authority’s website, to prove that the CA I was interning for was leading the competition. The task was simple. Literally:

  1. Create a front end service that attempts to go through a list of known list of certificate authority’s websites
  2. Load the first occurrence of an image from their site
  3. See if the image rendered within the browser properly

This test assumed that each certificate authority is served over SSL via their own certificate. It’d be silly for the certificate authority to not present their website over SSL - let alone, not use their own certificate that they sell.

Then, from various devices at hand, the test would be conducted via hitting the front end service from various browsers and operating systems (mostly phones). If an image renders as expected, that was due to the https request being successful and allowing the image to render on the browser. On the other hand, if the image did not load, that was likely due to the certificate being invalid - or any number of reasons, really - such as the image URL was broken. Throwing away assumptions, a broken, unrendered image was almost always the fault of the certificate chain not properly loading.

In all tests, I was able to run a series of trials and errors from quite a few different devices and browser combinations. As I mentioned, the point of these tests were to prove that the CA company I interned for, would indeed, score higher than the rest of the competition. And it did.