There are many cases in which the websites and online services that we use every day abuse the trust of users to keep their data and make fraudulent use of it. It is common to see apps that ask us for permissions from our mobile phone that are absolutely unnecessary and now a user on Twitter denounces another very dangerous practice: granting access to the electronic certificate and your private key.
There are practices that we should never allow on a website since they endanger our data, our privacy and are a real risk that can cause us many problems. And allowing a website or service to keep your FNMT digital certificate and its respective private key would be similar to giving someone we don’t know our DNI without knowing what they are going to do with it or what they want to do with it.
But it is important that we go in parts. What is the digital certificate and what is it for? This is an online authentication method that allows us to carry out all types of procedures over the Internet without having to do them in person and confirming that it is us. From paying fines to filing the Income Tax Return. And it allows us to confirm on the corresponding website that it is us and that no one is impersonating us or stealing our identity. This electronic certificate has a key that helps improve its security. And, logically, it is neither advisable nor advisable to let anyone access it.
Access to the electronic certificate
As stated by the Twitter user @tisasia, the Colibid website (dedicated to getting users the best mortgage or advising on it) states in its conditions the following: “The incorporation of the User’s digital certificate on the Colibid Platform may be carried out in two different ways: Manually. Colibid will proceed to store the electronic certificate (as well as its private key) of the Users and its subsequent export as a .pk12 file.”
Granting and obtaining these permissions would imply leaving our identity in the hands of this service so that it can do all kinds of things without our authorization. As another user on the same social network states, “They are asking to keep your private key (…) It’s like leaving your ID to someone so they can do their nonsense.”
💻Informatics Coslada🕹️
@informaticacosl
BE CAREFUL with what this application asks for. EYE. Always read the conditions very carefully. They are asking to keep your private key, which creates a significant gap. It’s like leaving your ID to someone so they can do their nonsense. NEVER pass your certificate to anyone https://t.co/SwCwM3I6Py
November 3, 2023 • 16:40
8
1
The website, in its conditions, explains “Both the certificate and the User’s private key will be stored on the Colibid server…”
But the problem is not how it is stored or where it is stored but the permission you are granting for them to use it, for them to store it. You should never give anyone your certificate as you could be at risk and put your data at risk.
But these conditions not only highlight the abuse of services for accessing our information and making use of it, but also show something even more dangerous: we tend to accept and access all types of pages and services without reading the conditions, so there will be many users who allow this without knowing they are allowing it. We must always read the fine print to avoid major problems and we must never accept anything that requires or requires us to access something like this.
How to protect ourselves
Whenever we use any website or platform we must make sure that we read all the conditions and the fine print. In this case we see how the platform ensures that they will keep your private key and you should never allow this or accept the conditions without first reading what it says in them. Not only should you not access any website with your certificate, but you should avoid filling out private data fields such as ID, telephone number, postal address… Never give this information to pages or services without first reading all their conditions and legal information.
We tend to accept without reading everything we come across: the conditions of a social network, the purchase of any website, an app to retouch photos… We believe that we are not taking any risk but we are not always sure of what we are accepting and this can lead us to a much more serious problem than advertising on our smartphone or spam in email, as we have already mentioned.
