1. What are certificates?
2. What is a certificate authority?
3. I thought you were against authority?
4. Your certificate is not recognized - what should I do?
5. What are the fingerprints of riseup.net's certificates?
1. When should I verify these fingerprints?
2. How do I verify these fingerprints?
6. I want to learn more

What are certificates?

On the internet, a public key certificate is needed in order to verify the identity of people or computers. These certificates are also called SSL certificates or identity certificates. We will just call them "certificates."

In particular, certificates are needed to establish secure connections. Without certificates, you would be able to ensure that no one else was listening, but you might be talking to the wrong computer altogether! All riseup.net servers and all riseup.net services allow or require secure connections. It can sometimes be tricky to coax a particular program to play nice and recognize the riseup.net certificates. This page will help you through the process.

If you don't follow these steps, your computer will likely complain or fail every time you attempt to create a secure connection with riseup.net.

What is a certificate authority?

Certificates are the digital equivalent of a government issued identification card. Certificates, however, are issued by private corporations called certificate authorities (CA).

I thought you were against authority?

We are, but the internet is designed to require certificate authorities and there is not much we can do about it. There are other models for encrypted communication, such as the decentralized notion of a "web of trust" found in PGP. Unfortunately, no one has written any web browsers or mail clients to use PGP for establishing secure connections, so we are forced to rely on certificate authorities. Some day, we hope to collaborate with other tech collectives to create a certificate (anti) authority.

Your certificate is not recognized - what should I do?

We recently installed new certificates that should solve this issue (from Certificate Authority: ipsCA).

What are the fingerprints of riseup.net's certificates?

Some programs cannot use certificate authorities to confirm the validity of a certificate. In that case, you may need to manually confirm the fingerprint of the riseup.net certificate. Here are some fingerprints for various certificates:

When should I verify these fingerprints?

You should verify these fingerprints whenever they change, or you are using a computer that you do not control (such as at an internet cafe, or a library). Verify them if you are suspicious, be suspicious and learn how to verify them and do it often.

How do I verify these fingerprints?

To verify these fingerprints, you need to look at what your browser believes the fingerprints are for the certificates and compare them to what is listed above. If they are different, there is a problem.

In most browsers, the way you look at the fingerprints of the certificate that you were given is by clicking on the lock icon that is located either in the URL location bar, or in the bottom corner of your browser. This should bring up details about the certificate being used, including the fingerprint. Some browsers may only show the MD5 fingerprint, or the SHA1 fingerprint, some will show both. Usually one is good enough to verify the validity of the fingerprint.

I want to learn more

Great, this is an important topic and we encourage you to read this piece which clearly articulates in a non-technical way the problems involved in certificate authorities as well as outlining some interesting suggestions for ways that the existing architecture and protocols can be tweaked just a little bit to change the situation for the better.