White paper. How to choose a Certificate Authority for safer web security



Similar documents
Beginner s Guide to SSL Certificates

White Paper. Enhancing Website Security with Algorithm Agility

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise

Protecting Your Name on the Internet The Business Benefits of Extended Validation SSL Certificates

WHY YOU NEED AN SSL CERTIFICATE

Wildcard and SAN: Understanding multi-use SSL Certificates

BEGINNERS GUIDE BEGINNERS GUIDE TO SSL CERTIFICATES: MAKING THE BEST CHOICE WHEN CONSIDERING YOUR ONLINE SECURITY OPTIONS

beginners guide Beginners Guide Certificates the best decision when considering your online security options.

Security and Trust: The Backbone of Doing Business Over the Internet

Web Presence Security

The Benefits of SSL Content Inspection ABSTRACT

Basics of SSL Certification

White Paper. Simplify SSL Certificate Management Across the Enterprise

WHITE PAPER. The latest advancements in SSL technology

BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options

SSL Certificates 101

SSL Certificates: A Simple Solution to Website Security

How to check if I care for the safety of my Clients?

Frequently Asked Questions. Frequently Asked Questions: Securing the Future of Trust on the Internet

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

WHY YOU NEED AN SSL CERTIFICATE

Comodo 2048 bit SSL Certificates. Security for your online business now and long into the future

Phishing The latest tactics and potential business impacts

Extended SSL Certificates

Wildcard and SAN: Understanding Multi-Use SSL Certificates

SECURITY RECOMMENDATIONS INTERNET BANKING TRANSACTIONAL

Gain a New Level of Trust with Extended Validation SSL Certificates

Licensing Symantec Certificates

Securing Microsoft Exchange 2010 with Symantec SSL Certificates

Internet threats: steps to security for your small business

Securing your Online Data Transfer with SSL

Installation and usage of SSL certificates: Your guide to getting it right

Websense Content Gateway HTTPS Configuration

The Impact of Extended Validation (EV) Certificates on Customer Confidence

Extended Validation SSL Certificates


You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Creating Trust Online TM. Identity & Trust Assurance in a changing standards environment. *(Extended Validation)

Securing Microsoft Exchange 2010 With VeriSign Authentication Services

BEGINNERS GUIDE TO SSL CERTIFICATES: Making the BEST choice when considering your online security options

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

White Paper. Business Continuity and Breach Protection: Why SSL Certificate Management is Critical to Today s Enterprise

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Realize Greater Profits As An Authorized Reseller Of Network Solutions nsprotect Secure SSL Certificates

Choosing a Cloud Hosting Provider with Confidence

Why are we changing Security Partners?

What Do You Mean My Cloud Data Isn t Secure?

Symantec Managed PKI for SSL Support Overview. How to get quick and convenient customer support

HTTPS Inspection with Cisco CWS

Analysis of the Global SSL Certificate Market. The Growing Need for Value-added Solutions

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Transition Networks White Paper. Network Security. Why Authentication Matters YOUR NETWORK. OUR CONNECTION.

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

Don t Lose the Data: Six Ways You May Be Losing Mobile Data and Don t Even Know It

Simplify SSL Certificate Management Across the Enterprise

GeoTrust Extended Validation SSL and Customer Confidence

Using Entrust certificates with VPN

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

What is an SSL Certificate?

extended validation SSL certificates: a standard for trust THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

White paper. Why Encrypt? Securing without compromising communications

2012 Endpoint Security Best Practices Survey

EXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper

Symantec Cyber Security Services: DeepSight Intelligence

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

SSL/TLS: The Ugly Truth

Payment Card Industry Data Security Standard

Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

The USP Maker for the hosting industry Welcome to my presentation Christian Heutger WorldHostingDay

The Evolving Threat Landscape and New Best Practices for SSL

understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

STRONGER ONLINE SECURITY

Transcription:

White paper How to choose a Certificate Authority for safer web security

Executive summary Trust is the cornerstone of the web. Without it, no website or online service can succeed in the competitive online marketplace. Systems are in place that help domain owners demonstrate to their users that they are trustworthy, and that their website or service does what it should. However, these systems have come under increasing attack. 2011 has seen a spate of breaches that have targeted the systems of Certificate Authorities (CAs), the companies that prove websites and services are secure and safe to use. Some of these attacks have undermined the trusting relationship between users and even well-known online brands. The changing security landscape has demonstrated that not all CAs are created equal, and choosing the right CA is critical to running and maintaining a safe and trusted online business. This white paper looks at the role of CAs in web security, including what measures a CA can take to promote trust in its certificates and the criteria to consider when choosing the best CA for the job. 2

The role of certificate authorities Why do sites need to be trusted? As use of the internet has become increasingly commonplace and crucial to a wide range of applications, criminals have found themselves with an ever-growing group of people they can target. Criminals are exploiting internet users in many ways, including: Using social engineering, bogus links and other means to direct people to sites that resemble those they frequently use. Fooling people into consciously or unconsciously giving up confidential details that can then be used for fraudulent purposes. Putting malware onto a user s computer that quietly turns the machine into a tool for further crime. Spoofing a domain, which may allow a criminal to impersonate someone sending email from that domain or spying on their conversations. This is not just a consumer problem businesses internal email systems can be compromised in this way too, opening them up to industrial espionage. Apart from hurting users, this activity is detrimental to the brand of the real site being spoofed. Trust is harmed when the user no longer feels safe. How do people using the internet know when to trust a site? Fortunately, people are becoming increasingly savvy about the need to trust the sites they are visiting. They may not know the explicit details of the threats they face when dealing with malicious or compromised websites, but they are aware that there are ways to establish trustworthiness, including: Padlock icon: The most common sign that a site is more trustworthy than others coincides with the use of https rather than http as the prefix to the page s web address. Green address bar: More recently, users will have become aware that the highlighting of part of the address bar denotes even greater security. Behind the scenes, the https is an indicator that the page is being viewed using a secure connection to the site owner s servers. HTTP Secure (HTTPS) combines The green address bar shows the name of the business verified to use this website address and means that this web page is secure. the standard HTTP protocol with the Secure Sockets Layer (SSL) protocol, and its use shows that the site s servers have been authenticated using an SSL certificate. The colouring of the first piece of the address bar shows that the site s owner has gone a step further and offered themselves up for extensive vetting and authentication procedures, to prove the site is what it says it is. By doing so, they will have gained an Extended Validation (EV) SSL certificate that the browser can recognise, leading to the special 3

colouring and the display of more information than usual about the site s operators. What is a CA and how do certificates work? The Certificate Authority (CA) is the organisation that issues SSL and EV SSL certificates. The user can always tell which CA issued a certificate by clicking on the padlock next to the site s URL. SSL certificates are based on private and public keys that are used to establish a secure connection between the user s computer and the site s servers. They effectively prove that the signed public key associated with a site really does belong to the site s owner. The CA signs the public key using its own private key, making the reliability of the CA (as a protector of that private key) essential to the reliability of the public keys they validate. When someone visits a site with an SSL certificate, the user s browser and the site s server need to shake hands to kick off the session. The browser begins by requesting a certificate. Once it receives and verifies this, it generates a piece of code called a master key, and encrypts it using the public key associated with the certificate. It then sends the encrypted master key back to the site s server. As that server has the private key underlying the public key, it can decrypt the master key, which it then uses to authenticate a message that it sends back to the client. The handshake is now complete, and the two parties begin a trusted session. The user can always tell which CA issued a certificate by clicking on the padlock next to the site s URL. There are different types of SSL certificate that offer varying levels of security: Entry-level Domain Validated SSL certificates. The CA sends an email to an address associated with the administrator of the site. The administrator uses a link or authentication token in the email to validate their domain, and the SSL certificate is issued. However, this leaves little guarantee that the applicant is a valid business entity. Fully-authenticated SSL certificates. The next step up in validating the business entity will only be issued once the CA has verified the business s validity and ownership, and that the applicant is authorised to request the certificate. Extended Validation (EV) certificates. This is the most visibly trustworthy form of SSL certificate. It tells the user not only that the certificate was issued after heavy vetting, but also that the CA issuing the certificate has itself been independently audited. Extended Validation was introduced for a reason: in the real world, not all SSL certificates are equally trustworthy. There are no minimum standards for SSL certificates and there are many smaller CAs or registration authorities that resell root certificates from the larger CAs at relatively cheap prices. It is with some of these intermediaries that problems have begun to arise. 4

How CAs have come under attack 2011 has seen an alarming series of CA breaches. No one has been able to compromise the systems of the most robust CAs, suggesting that you often get what you pay for with CAs. In several cases, the security of intermediaries infrastructure was not up to the task, leading to problems for their partners and, above all, for their customers. A CA s top business priorities should be: The continual hardening of the infrastructure that protects the cryptographic keys Securing the authentication process that validates identity As we have seen this year, bogus certificates and insufficient CA security have been to blame for exposing SSL-encrypted traffic. In such cases, even genuine certificates from that issuer must be treated with suspicion, and this can cause an entire CA to shut down. There is no minimum standard within the current SSL certificate market. Although price certainly plays a significant role in the purchasing process, as the multiple CA breaches this year have reminded us, price should be but one of many factors in selecting a CA. When evaluating a CA, it s worth considering the vendor s history of trust and security. This year, several CAs had to suspend issuing certificates because their systems were actually breached, or they were unable to confirm or deny claims of a successful attack. Similarly, a CA s certificates could be blacklisted by browser providers if the company does not offer strong enough encryption in its products. What measures can a CA take to promote trust in its certificates? Without rigorous and diligent upkeep of the security infrastructure surrounding Certificate Authorities, CAs put their customers and the web consumer community at-large at risk. As recent attacks have demonstrated, a CA must keep its cryptographic keys secure. Doing so is an increasingly difficult task, and the ability of a CA to maintain absolute security is the most critical factor when choosing where to source your SSL certificates. Customers should only use a CA that has a strong track record of trustworthiness and employs measures including: Facilities that have been designed to withstand attacks Hardware monitoring and strong network security Biometrics-based security for the facilities, along with dual-access control for key systems Hardware-based systems for cryptographically signing certificates Ensuring dual control for the issuing of all certificates with the vendor s name on them Employing best practices for authenticating domain ownership Regular independent audits 5

What does the future hold? Criminals and state-sponsored hackers have figured out what website owners also need to realise: not all CAs are equal. Some CAs are more vulnerable than others, and it is becoming increasingly worthwhile for hackers to exploit that vulnerability. As cloud applications start to take over from traditional desktop programs, the mass of data that needs to be kept secure keeps growing and including new types of critical information. Your customer s trust is paramount, but a bad choice of CA could see your business risk the exposure of not only your customers, but also your own internal data, from mail and documents to spreadsheets and unified communications. Recent attacks have also revealed that hackers use a variety of means, big and small, to try to penetrate CAs systems. CAs must keep evolving to ensure they are ahead of the game, for their own sake as well as that of their clients. The CA you choose has to have an infrastructure that is up to the task, along with the means to act both proactively and reactively to any threat. Their security has to be extensive and varied. They have to have their eye on every link in the chain. The stakes are too high to settle for less. More information Visit our website www.verisign.co.uk To speak with a product specialist Call 0800 032 2101 or +44 (0) 208 6000 740 About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organisations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Symantec World Headquarters 350 Brook Drive, GreenPark Reading, Berkshire RG2 6UH, United Kingdom Copyright 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and VeriSign Authentication are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information