1. What are certificates?
2. What is a certificate authority?
3. I thought you were against authority?
4. What are the fingerprints of riseup.net's certificates?
1. When should I verify these fingerprints?
2. How do I verify these fingerprints?
5. How can I verify the root certificate?
6. I want to learn more!

What are certificates?

On the internet, a public key certificate is needed in order to verify the identity of people or computers. These certificates are also called SSL certificates or identity certificates. We will just call them "certificates."

In particular, certificates are needed to establish secure connections. Without certificates, you would be able to ensure that no one else was listening, but you might be talking to the wrong computer altogether! All riseup.net servers and all riseup.net services allow or require secure connections. It can sometimes be tricky to coax a particular program to play nice and recognize the riseup.net certificates. This page will help you through the process.

If you don't follow these steps, your computer will likely complain or fail every time you attempt to create a secure connection with riseup.net.

What is a certificate authority?

Certificates are the digital equivalent of a government issued identification card. Certificates, however, are issued by private corporations called certificate authorities (CA).

I thought you were against authority?

We are, but the internet is designed to require certificate authorities and there is not much we can do about it. There are other models for encrypted communication, such as the decentralized notion of a "web of trust" found in PGP. Unfortunately, no one has written any web browsers or mail clients to use PGP for establishing secure connections, so we are forced to rely on certificate authorities. Some day, we hope to collaborate with other tech collectives to create a certificate (anti) authority.

What are the fingerprints of riseup.net's certificates?

Some programs cannot use certificate authorities to confirm the validity of a certificate. In that case, you may need to manually confirm the fingerprint of the riseup.net certificate. Here are some fingerprints for various certificates:

When should I verify these fingerprints?

You should verify these fingerprints whenever they change, or you are using a computer that you do not control (such as at an internet cafe, or a library). Verify them if you are suspicious, be suspicious and learn how to verify them and do it often.

How do I verify these fingerprints?

To verify these fingerprints, you need to look at what your browser believes the fingerprints are for the certificates and compare them to what is listed above. If they are different, there is a problem.

In most browsers, the way you look at the fingerprints of the certificate that you were given is by clicking on the lock icon that is located either in the URL location bar, or in the bottom corner of your browser. This should bring up details about the certificate being used, including the fingerprint. Some browsers may only show the MD5 fingerprint, or the SHA1 fingerprint, some will show both. Usually one is good enough to verify the validity of the fingerprint.

You should also verify the cryptographic signature that we've wrapped around the fingerprints. This was done with OpenPGP, so if you have this installed, you should be able to get Riseup's key and then verify it, and the signature should verify. To do this in Linux, you can do the following (if you know how to do this in other operating systems, please let us know so we can add this information!):

How can I verify the root certificate?

You probably don't need to do this if you are checking your mail via an email client (like Thunderbird) or webmail. But if you are downloading or sending mail remotely, you may need to know the correct root certificate to use to verify the certificate used to sign Riseup's certificates. The correct root certificate is UTN_USERFirst_Hardware_Root_CA.pem and in a debian system it is located in /usr/share/ca-certificates/mozilla (assuming you have the ca-certificates package installed).

I want to learn more!

Great, this is an important topic and we encourage you to read this piece which clearly articulates in a non-technical way the problems involved in certificate authorities as well as outlining some interesting suggestions for ways that the existing architecture and protocols can be tweaked just a little bit to change the situation for the better.