Frequently Asked Questions. Frequently Asked Questions: Securing the Future of Trust on the Internet

Similar documents
Prioritizing Trust: Certificate Authority Best Practices

Wildcard and SAN: Understanding multi-use SSL Certificates

White Paper. Securing the Future of Trust on the Internet The Way Forward for the PKI Ecosystem

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

White Paper. Enhancing Website Security with Algorithm Agility

Securing Microsoft Exchange 2010 With VeriSign Authentication Services

Symantec Managed PKI for SSL Support Overview. How to get quick and convenient customer support

Simplify SSL Certificate Management Across the Enterprise

Simplify SSL Certificate Management Across the Enterprise

Securing Microsoft Exchange 2010 with Symantec SSL Certificates

Beginner s Guide to SSL Certificates

Why Digital Certificates Are Essential for Managing Mobile Devices

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise

White paper. How to choose a Certificate Authority for safer web security

Security and Trust: The Backbone of Doing Business Over the Internet

Choosing a Cloud Hosting Provider with Confidence

Symantec Managed PKI Service Deployment Options

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

extended validation SSL certificates: a standard for trust THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

Wildcard and SAN: Understanding Multi-Use SSL Certificates

White Paper. Simplify SSL Certificate Management Across the Enterprise

Extended SSL Certificates

Payment Card Industry Data Security Standard

8 Key Requirements of an IT Governance, Risk and Compliance Solution

Symantec Mobile Security

Comodo Certificate Manager. Comodo Enterprise

White Paper. Business Continuity and Breach Protection: Why SSL Certificate Management is Critical to Today s Enterprise

Symantec Mobile Management for Configuration Manager 7.2

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

Athena Mobile Device Management from Symantec

Endpoint Management and Mobility Solutions from Symantec. Adapting traditional IT operations for new end-user environments

Symantec Mobile Management 7.2

Extended Validation SSL Certificates

Licensing Symantec Certificates

Gain a New Level of Trust with Extended Validation SSL Certificates

ENTRUST CLOUD. SSL Digital Certificates, Discovery & Management entrust@entrust.com entrust.com

Symantec Mobile Management 7.1

Leveraging Symantec CIC and A10 Thunder ADC to Simplify Certificate Management

The Benefits of SSL Content Inspection ABSTRACT

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Symantec Client Management Suite 8.0

RECOMMENDATIONS for the PROCESSING of EXTENDED VALIDATION SSL CERTIFICATES January 2, 2014 Version 2.0

GeoTrust Extended Validation SSL and Customer Confidence

Advanced Service Desk Security

Basics of SSL Certification

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

Websense Data Security Suite and Cyber-Ark Inter-Business Vault. The Power of Integration

White Paper. Keeping Your Private Data Secure

Addressing the blind spots in your security strategy. BT, Venafi & Blue Coat

Symantec Mobile Management 7.1

PROTECTED CLOUDS: Symantec solutions for consuming, building, or extending into the cloud

Symantec Business Critical Services for the Enterprise

ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB

Cloud, Appliance, or Software? How to Decide Which Backup Solution Is Best for Your Small or Midsize Organization.

Citrix GoToAssist Service Desk Security

The Impact of HIPAA and HITECH

How To Monitor Your Entire It Environment

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Simplify Your Windows Server Migration

Confidence in the Cloud Five Ways to Capitalize with Symantec

How To Understand And Understand The Security Of A Key Infrastructure

Symantec Endpoint Protection

DISCOVER, MONITOR AND PROTECT YOUR SENSITIVE INFORMATION Symantec Data Loss Prevention. symantec.com

Symantec Control Compliance Suite. Overview

Enterprise Vault 10 Feature Briefing

Managing SSL Certificates with Ease

Teradata and Protegrity High-Value Protection for High-Value Data

WHITE PAPER. The latest advancements in SSL technology

Asset Discovery with Symantec Control Compliance Suite

Cyber Security Services: Data Loss Prevention Monitoring Overview

NetBackup Best Practice Using Tape Storage with Deduplicating Disk Storage

How To Support Bring Your Own Device (Byod)

Securing Microsoft Exchange 2010 WITH THAWTE SSL CERTIFICATES

Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

EV Feature Briefing

Symantec NetBackup 7.5 What s New and Version Comparison Matrix

Managing SSL Security in Multi-Server Environments

Transcription:

FREQUENTLY ASKED QUESTIONS: SECURING THE FUTURE OF TRUST ON THE INTERNET Frequently Asked Questions Frequently Asked Questions: Securing the Future of Trust on the Internet

Securing the Future of Trust on the Internet CONTENTS Q1: What is PKI and how does it relate to SSL certificates?... 3 Q2: How do certificate authorities use PKI?... 3 Q3: Why is PKI so important to the future of the Internet?... 3 Q4: Why are some people questioning the future of the PKI ecosystem?... 3 Q5: Are there viable alternatives to PKI?... 4 Q6: What are the CA/Browser Forum Baseline Requirements?............... 4 Q7: What are the key elements of a robust PKI ecosystem?... 4 Q8: What is an online revocation check and why is it important?... 5 Q9: What is soft-fail behavior and why does it create problems for online revocation checking?... 5 Q10: How can website operators help protect the PKI ecosystem?... 5 Q11: How can I be sure that the websites I visit are safe and trustworthy?... 6 2

Q1: What is PKI and how does it relate to SSL certificates? PKI stands for public key infrastructure. PKI at its base form is an electronic information repository that ties entities to key pairs, but also includes the hardware, software, personnel and practices used to create and manage SSL certificates on the public Internet. TLS/SSL relies on PKI to provide authentication of the server to the client, and to optionally authenticate the client to the server. Q2: How do certificate authorities use PKI? The type of PKI used for SSL/TLS requires a third party to issue certificates used to mediate the authentication between entities interested in engaging in transactions. This third party verifies that the entity requesting a certificate is who or what the entity purports to be and then issues a certificate. Third parties that broker trust in this manner are called Certificate Authorities (CA). Symantec, the #1 provider of SSL online, operates a certificate-based PKI ( Symantec Trust Network ) to enable the worldwide deployment and use of SSL certificates by Symantec, its affiliates, their respective customers, subscribers, and relying parties. 1 Q3: Why is PKI so important to the future of the Internet? PKI is the only technology that can meet the rapidly growing need for online security and trust so that people can connect with confidence and safely share information online now and in the future. There are three key reasons why PKI provides the best platform for online security and trust: Massive scalability PKI has provided a stable platform for the growth of Web-scale e-commerce, and offers the economies of scale required to meet the rapidly growing demand for a secure online experience driven by mobile, cloud and social technologies. Authentication The PKI trust model provides a deterministic way to make assurances about the a) security, b) integrity and c) identity of an organization. Strong encryption PKI enables the use of encryption to ensure the confidentiality and integrity of private data when it is transmitted over the public Internet. PKI is the only single technology platform that delivers the economies of scale necessary for future growth; ensures trust between parties on first contact; and protects the confidentiality and integrity of data in transit on the public Internet. Q4: Why are some people questioning the future of the PKI ecosystem? The CA breaches in 2011 sparked a debate as to whether SSL certificate technology and the entire CA industry that distributes it is fundamentally broken. Fortunately, the answer is categorically and unequivocally no. SSL technology still provides excellent protection against evolving cyber security threats. With the right tools and processes, CAs should be fully capable of providing the greatest assurance possible that their certificates and the websites that use the certificates are genuine and safe for online business. 1 Netcraft SSL Survey, 6/2012; includes subsidiaries, affiliates, and partners. 3

However, the events of 2011 are proof-positive that best practices have not been consistently implemented, and that some CAs do not provide equal levels of assurance about security or trust. And yet under the current system, all CAs are trusted equally once they have been added to a browser s root list. This fundamental problem of equal trust without equal assurance must be addressed in order to ensure the future of the PKI ecosystem. Q5: Are there viable alternatives to PKI? A number of emerging technologies, such as DNSSec, Perspectives, and Sovereign Keys, have been proposed as possible solutions to the challenges currently facing PKI and SSL/TLS. While it is important to support and discuss these types of initiatives, they are all considered band-aids that solve point problems, not complete replacements for PKI. Furthermore, these proposals are also largely untested and unproven, whereas PKI has more than a decade of experience and expertise behind it something that can t be developed overnight, regardless of technical merits. Q6: What are the CA/Browser Forum Baseline Requirements? Symantec and other members of the CA/Browser Forum took the first step towards a more robust, sustainable PKI ecosystem in December 2011 with the release of Baseline Requirements for the Issuance and Management of Publicly- Trusted Certificates, the first international baseline standard for the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates natively trusted in browser software. This standard, which goes into effect on July 1, 2012, describes an integrated set of technologies, protocols, identity-proofing, lifecycle management, and auditing requirements that are necessary for the issuance and management of publicly-trusted certificates. Q7: What are the key elements of a robust PKI ecosystem? The importance of establishing common baseline requirements cannot be overstated. However, these requirements do not address all of the issues relevant to the issuance and management of trusted certificates on the public Internet, and are intended as a starting point of what is an ongoing effort to improve security practices. Symantec strongly believes that a healthy, robust PKI ecosystem requires three key pillars as its foundation: Strong, standardized certificate authority security policies and practices. A robust, agile and highly available digital certificate infrastructure. Stricter security standards for Web browser and Web server software. Some of these objectives can be met simply by following existing standards, guidelines and policies. Other objectives will require the disciplined implementation of stricter policies and stronger security specifications. All of these objectives must be met in order to ensure the long-term health of the PKI ecosystem and to prevent further erosion of trust. 4

Q8: What is an online revocation check and why is it important? In addition to protecting valid certificates, CAs have a duty to publish up-to-date status of certificates (whether a certificate is valid or revoked). Historically, they accomplished this by creating a Certificate Revocation List (CRL) and signing it with their private key. Web browsers regularly checked these CRLs to see if any certificates have been revoked. Today OCSP (Online Certificate Status Protocol) is the protocol most commonly used by browsers to obtain the revocation status of an SSL certificate, and obtaining quick responses to OCSP queries is critical to the user experience. The CA/Browser Baseline Requirements state that all CAs must operate and maintain its CRL and OCSP capability with resources sufficient to provide a response time of 10 seconds or less under normal operating conditions. 10 seconds is a very long time for a user to wait for a response. Symantec alone handles on average 4.5 billion OCSP lookups every day, with an average response time of less than half a second, and typically updates its OCSP and CRL systems within 5 minutes of revocation. Q9: What is soft-fail behavior and why does it create problems for online revocation checking? Currently, most Web browsers use a soft-fail approach to online revocation checks; blocking access to the website only if a revoked response is returned. If no response is received, the browser allows the user to continue with no warning. Symantec believes that Web browser developers can and should implement hard fail behavior so that users are stopped from (or at least warned before) proceeding to a website when a revocation check fails. This feature should not impact the user experience if CAs live up to their responsibility and provide timely, reliable responses to online revocation checks. Q10: How can website operators help protect the PKI ecosystem? The first step is to implement Always On SSL, a fundamental, cost-effective security measure that provides end-to-end protection for website visitors. Always On SSL is not a product, service, or replacement for existing SSL certificates, but rather an approach to security that recognizes the need to protect the entirety of a user s session, not just the login screen. Always On SSL starts with the site-wide use of HTTPS, but it also means setting the secure flag for all session cookies to prevent their contents from being sent over unencrypted HTTP connections. For additional security and trust, extended validation (EV) SSL Certificates offer the level of authentication and trigger browsers to give users a very visible indicator that the user is on a secured site by turning the address bar green. This is valuable protection against a range of online attacks. A Symantec sponsored consumer survey of internet shoppers in Europe, the US and Australia showed the SSL EV green bar increases the feeling of security for most (60 percent) shoppers. 2 2 Symantec Online Consumer Study (UK, France, Germany, Benelux, US and Australia) conducted in January 2011 5

SSL/TLS alone can t protect against all Web-based attacks, but CAs such as Symantec offer daily malware and vulnerability scanning as part of their online trust services, helping customers minimize the risk of malware infection, and to remediate malware infections as quickly as possible. Q11: How can I be sure that the websites I visit are safe and trustworthy? It is important to know that SSL/TLS remains the most effective method of secure Web data transmission, and PKI is the best platform for managing SSL certificates at Internet scale. It is equally critical to remain aware of who is behind the security of the website you are doing business with. Are they reputable? Do they have a proven track record for issuance of certificates? Do they have a robust infrastructure in place to prevent these types of attacks? If the answer is no, it is probably not a safe website to use or visit. 6

More Information Visit our website http://go.symantec.com/trustontheinternet To speak with a Product Specialist in the U.S. Call 1 (866) 893-6565 or 1 (650) 426-5112 To speak with a Product Specialist outside the U.S. For specific country offices and contact numbers, please visit our website. About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Symantec World Headquarters 350 Ellis Street Mountain View, CA 94043 USA 1 (800) 721 3934 www.symantec.com Copyright 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, BindView, Enterprise Security Manager, Sygate, Veritas, Enterprise Vault, NetBackup and LiveState are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. UID:126/7/2012

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information