Using certificates for privacy and security

You can use certificates to protect your personally identifiable information on the Internet, and to protect your computer from unsafe software. A certificate is a statement verifying the identity of a person or the security of a Web site.

Internet Explorer uses two different types of certificates:

A “personal certificate” is a verification that you are who you say you are. This information is used when you send personal information over the Internet to a Web site that requires a certificate verifying your identity. You can control the use of your own identity by having a private key that only you know on your own computer. When used with e-mail programs, security certificates with private keys are also known as “digital IDs.”

A “Web site certificate” states that a specific Web site is secure and genuine. It ensures that no other Web site can assume the identity of the original secure site. When you are sending personal information over the Internet, it is a good idea to check the certificate of the Web site you are using to ensure that it will protect your personally identifiable information. When you are downloading software from a Web site, you can use certificates to verify that the software is coming from a known, reliable source.

How do security certificates work?

A security certificate, whether it is a personal certificate or a Web site certificate, associates an identity with a “public key.” Only the owner of the certificate knows the corresponding “private key.” The “private key” allows the owner to make a “digital signature” or decrypt information encrypted with the corresponding “public key.” When you send your certificate to other people, you are actually giving them your public key, so they can send you encrypted information that only you can decrypt and read with your private key.

The digital signature component of a security certificate is your electronic identity card. The digital signature tells the recipient that the information actually came from you and has not been forged or tampered with.

Before you can start sending encrypted or digitally signed information, you must obtain a certificate and set up Internet Explorer to use it. When you visit a secure Web site (one whose address starts with “https”), the site automatically sends you its certificate.

Where do you get your own security certificates?

Security certificates are issued by independent certification authorities. There are different classes of security certificates, each one providing a different level of credibility. You can obtain your personal security certificate from certification authorities.

Internet Connection Firewall overview

A firewall is a protective boundary that restricts information that comes to your computer from a network or the Internet. Internet Connection Firewall (ICF) in Windows XP limits the unsolicited information that can reach your computer and makes it more difficult for attackers to find your computer. On computers running Windows XP, all Internet and network connections (including VPN connections to your workplace) have ICF turned on. It is recommended that you leave ICF turned on.

How Internet Connection Firewall (ICF) works
ICF monitors network traffic and inspects the source and destination address of each message that it handles, blocking unsolicited inbound traffic from any network the computer is connected to. ICF keeps a record of all communications that have originated from the ICF computer. For example, when you type a Web site address into the address bar, ICF makes an entry in the record. When the Web page is returned, its address is checked against the record and then allowed through. If someone tries to access your computer, without a prior request from you, the network traffic is blocked.

Internet Connection Firewall blocks potentially harmful inbound communications, but you can make exceptions (such as allowing a Web server to accept inbound network traffic) on the Permissions tab in the Internet Connection Firewall control panel.

Although Internet Connection Firewall is turned on for all of your network and Internet connections, you can turn it off for individual network connections on your computer. You can make these changes on the Network Connections tab in the Internet Connection Firewall control panel. However, by leaving ICF turned on, the security of your computer or network is stronger.

ICF does its job without notifying you each time it blocks a connection, but it can also create a record, called a security log, that records the connections. The ICF security log is turned off by default, so you have to turn it on in order to create the report. For more information, see Internet Connection Firewall security log file overview.

Internet Connection Firewall Options

Internet Connection Firewall Total Lockout
Internet Connection Firewall can also block all inbound connections using Total Lockout. For example, if you connect to the Internet using a public wired or wireless network at an airport or hotel, you can block all inbound connections, preventing others from accessing your computer. When Total Lockout is on, the following services are blocked:

Internet Connection Firewall can also block all inbound connections using Total Lockout. For example, if you connect to the Internet using a public wired or wireless network at an airport or hotel, you can block all inbound connections, preventing others from accessing your computer. When Total Lockout is on, the following services are blocked:

• File and printer sharing
• Discovery of network devices
• Preconfigured ports on the Permissions tab in the Internet Connection Firewall control panel
• Ports that you have added and that are manually opened. For more information, see Enable and disable ports

When Total Lockout is turned on, you can still send and receive e-mail, use an instant messenging program, or participate in a video conference. Inbound connections are only allowed if you send information or a message from your computer first.

Total Lockout should only be used when you need maximum protection for your computer, such as when you’re connected to a public wired or wireless network. Total Lockout should not be on all the time.
File and printer sharing and discovery of network devices

To allow file and printer sharing on your home or small office network, run the Network Setup Wizard and choose the option for file and printer sharing. Internet Connection Firewall is set up to block your computer from discovering network devices on your home or small office network. You can allow your computer to discover network devices by making changes on the Permissions tab in the Internet Connection Firewall control panel.

ICF and notification messages
Because ICF inspects all incoming communications, some programs, especially e-mail programs, might behave differently when ICF is turned on.

Outlook Express, for example, automatically checks for new e-mail when its timer tells it to do so. When new e-mail is present, Outlook Express prompts the user with a new e-mail notification. ICF will not affect the behavior of this program, because the request for new e-mail notification originates from inside the firewall. The firewall makes an entry in a table noting the outbound communication. When the new e-mail response is acknowledged by the mail server, the firewall finds an associated entry in the table and allow the communication to pass, then the user receives notification that a new e-mail has arrived.

Office 2000 Outlook, Office XP Outlook, and Office 2003 Outlook are connected to a Microsoft Exchange server that uses a remote procedure call (RPC) to send new e-mail notifications to clients. Office Outlook does not automatically check for new e-mail when it is connected to an exchange server. The Exchange server notifies Office Outlook when new e-mail arrives. Because the RPC notification is initiated from the exchange server that is outside the firewall, not by Office Outlook, which is inside the firewall, ICF cannot find the corresponding entry in the table, and the RPC messages are not be allowed to cross from the Internet into the home network. The RPC notification message is dropped. Users can send and receive e-mail, but need to manually check for new e-mail.

Advanced ICF Settings
ICF security logging creates a security log (or record) of firewall activity. If turned on, ICF keeps a log of those connections that go through the firewall and those that are rejected. For example, normally the firewall doesn’t allow incoming echo requests from the Internet. If the Internet Control Message Protocol (ICMP) Allow incoming echo request is not turned on, then the inbound request fails, and a log entry that notes the failed inbound attempt is created.

ICF security logging is turned off by default. You must turn on security logging to have a log entry created. To turn on security logging, see Enable Security Logging Options. For more information about ICF security logging, see Internet Connection Firewall security log file overview.

With ICMP, you can modify the behavior of the firewall by enabling various options, such as Allow incoming echo request, Allow incoming timestamp request, Allow incoming router request and Allow redirect. Brief descriptions of these options are provided on the Advanced tab in the Internet Connection Firewall control panel. For information about ICMP, see Internet Control Message Protocol (ICMP). To adjust ICMP settings, see Enable Internet Control Message Protocols.