How to Choose A Certificate Authority For Safer Web Security

Similar documents
White paper. How to choose a Certificate Authority for safer web security

Choosing a Cloud Provider with Confidence SSL Provides a Secure Bridge to the Cloud

Frequently Asked Questions. Frequently Asked Questions: Securing the Future of Trust on the Internet

SECURING MULTIPLE DOMAINS WITH SSL Subject Alternative Name (SAN) Certificates and Unified Communications Certificates (UCC) WHITE PAPER

WHY YOU NEED AN SSL CERTIFICATE

Advanced Service Desk Security

Website Security: It s Not all About the Hacker Anymore

The business and security benefits of GeoTrust Enterprise Security Center

Citrix GoToAssist Service Desk Security

Prioritizing Trust: Certificate Authority Best Practices

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

WHY YOU NEED AN SSL CERTIFICATE Introduction

SSL Certificates: A Simple Solution to Website Security

Best Practices: Reducing the Risks of Corporate Account Takeovers

Extended SSL Certificates

GUIDE. Stop Phishing: A Guide to Protecting Your Web Site Against Phishing Scams

WHITE PAPER CHOOSING THE RIGHT SECURITY SOLUTION: MOVING BEYOND SSL TO ESTABLISH TRUST

Payment Card Industry Data Security Standard

Five keys to a more secure data environment

INTRODUCTION TO WEB ANALYTICS FOR E-COMMERCE: HOW TO TRACK ACTIVITY TO OPTIMIZE YOUR WEB SITE GUIDE

Frequently Asked Questions. Frequently Asked Questions: Prioritizing Trust: Certificate Authority Security Best Practices

WHY YOU NEED AN SSL CERTIFICATE

How Extended Validation SSL Brings Confidence to Online Sales and Transactions

HomeConvenience.com. Creating Trust Online CASE STUDY. Comodo Identity and Trust Assurance Suite. Content Verification Certificate.

Protecting Your Name on the Internet The Business Benefits of Extended Validation SSL Certificates

Host-based Protection for ATM's

Websense Content Gateway HTTPS Configuration

Wildcard and SAN: Understanding Multi-Use SSL Certificates

Portal Administration. Administrator Guide

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

The Impact of Extended Validation (EV) Certificates on Customer Confidence

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Why You Need an SSL Certificate

Managing SSL Security in Multi-Server Environments

Securing the Service Desk in the Cloud

Reducing the Cost and Complexity of Web Vulnerability Management

The Benefits of SSL Content Inspection ABSTRACT

The Changing Face of SSL

White paper. Implications of digital certificates on trusted e-business.

Comodo Certificate Manager. Comodo Enterprise

Simplify SSL Certificate Management Across the Enterprise

Security and Trust: The Backbone of Doing Business Over the Internet

E-BUSINESS THREATS AND SOLUTIONS

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Web Presence Security

Maruleng Local Municipality

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Retention & Destruction

Security Policy JUNE 1, SalesNOW. Security Policy v v

Information Security for the Rest of Us

Basics of SSL Certification

Seven Key Issues to Consider Before Selecting a Cloud Hosting Provider

Security + Certification (ITSY 1076) Syllabus

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

beginners guide Beginners Guide Certificates the best decision when considering your online security options.

SECURITY RECOMMENDATIONS INTERNET BANKING TRANSACTIONAL

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Simplify SSL Certificate Management Across the Enterprise

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Data Security Incident Response Plan. [Insert Organization Name]

Choosing a Cloud Hosting Provider with Confidence

Creating Trust Online TM. Identity & Trust Assurance in a changing standards environment. *(Extended Validation)

SANS Top 20 Critical Controls for Effective Cyber Defense

BEGINNERS GUIDE BEGINNERS GUIDE TO SSL CERTIFICATES: MAKING THE BEST CHOICE WHEN CONSIDERING YOUR ONLINE SECURITY OPTIONS

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Preemptive security solutions for healthcare

What Do You Mean My Cloud Data Isn t Secure?

Firewalls & Intrusion Detection

BMC s Security Strategy for ITSM in the SaaS Environment

Where every interaction matters.

Cyber Protection for Building Automation and Energy Management Systems

The Evolving Threat Landscape and New Best Practices for SSL

extended validation SSL certificates: a standard for trust THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

RSA Solution Brief. RSA SecurID Authentication in Action: Securing Privileged User Access. RSA Solution Brief

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Domain Name Considerations for your e-commerce Service

SUPPLIER SECURITY STANDARD

Security Controls for the Autodesk 360 Managed Services

Choosing a Cloud Hosting Provider with Confidence

Cloud security architecture

Neutralus Certification Practices Statement

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

SERVICE ORGANIZATION CONTROL 3 REPORT

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise

McAfee Server Security

Addressing the blind spots in your security strategy. BT, Venafi & Blue Coat

Internet threats: steps to security for your small business

GeoTrust Extended Validation SSL and Customer Confidence

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Media Shuttle s Defense-in- Depth Security Strategy

Complete Website Security

Security Issues in Cloud Computing

Transcription:

WHITE PAPER How to Choose A Certificate Authority For Safer Web Security How to Choose A Certificate Authority For Safer Web Security 1

How to Choose A Certificate Authority For Safer Web Security Contents How to Choose A Certificate Authority For Safer Web Security... 3 The Role of Certificate Authorities... 3 Why Do Sites need to Be trusted?... 3 How Do People Using the Internet Know When to trust A Site?... 3 What Is A CA And What Are the Different types of SSL Certificates?... 4 How CAs Have Come Under Attack... 6 What Measures Can a CA take to Promote trust In Its Certificates? 6 GeoTrust s Commitment to Security... 7 The Gold Standard In Physical And network Security... 7 White Hat Reality Check... 9 What Does the Future Hold?... 9 More Information...10 How to Choose A Certificate Authority For Safer Web Security 2

How to Choose A Certificate Authority For Safer Web Security The Role of Certificate Authorities Why Do Sites need to Be trusted? As use of the Internet has become increasingly commonplace and crucial to a wide range of applications, criminals have found an ever-growing group of people they can target. Criminals are exploiting Internet users in many ways, including: using social engineering, bogus links, spam and phishing to direct people to fraudulent websites that resemble the sites that they frequently use. setting up websites to be malicious destinations. hijacking user accounts and information by intercepting the data shared between people and websites through man-in-the-middle attacks such as the well-known Firesheep plug-in. fooling people into consciously or unconsciously giving up confidential details that can then be used for fraudulent purposes. putting malware onto a user s computer that quietly turns the machine into a tool for further crime. spoofing a domain, which may allow a criminal to impersonate someone sending email from that domain or spying on their conversations. This is not just a consumer problem businesses internal email systems can be compromised in this way too, opening them up to industrial espionage. Apart from hurting users, this activity is detrimental to the brand of the real site being spoofed. Trust is harmed when the user no longer feels safe. How Do People Using the Internet Know When to trust A Site? Fortunately, people are becoming increasingly savvy about the need to trust the sites they are visiting. They may not know the explicit details of the threats they face when dealing with malicious or compromised websites, but they are aware that there are ways to establish trustworthiness, including: Padlock icon: The most common sign that a site is more trustworthy than others coincides with the use of https rather than http as the prefix to the page s web address and a padlock icon. Green address bar: More recently, users have become aware that the highlighting of part of the address bar denotes even greater security. How to Choose A Certificate Authority For Safer Web Security 3

Behind the scenes, the https is an indicator that the page is being viewed using a secure connection to the site owner s servers. HTTP Secure (HTTPS) combines the standard HTTP protocol with the Secure Sockets Layer (SSL) protocol, and its use shows that the site s servers have been authenticated using an SSL certificate. HTTPS also shows that the data shared between people and the site will be encrypted during transit, to protect it from being seen or intercepted by eavesdroppers. The coloring of the first piece of the address bar shows that the site s owner has gone a step further and offered themselves up for extensive organization vetting and authentication procedures, to prove the organization behind the site is who they say they are. By doing so, they will have gained an Extended Validation (EV) SSL certificate that the browser can recognize, leading to the special green coloring and the display of more information than usual about the site s operator and the CA who authenticated the site. The green address bar shows the name of the business verified to use this website address and means that this web page is secure. How to Choose A Certificate Authority For Safer Web Security 4

What Is A CA And What Are the Different types of SSL Certificates? The Certificate Authority (CA) is an organization that issues SSL and EV SSL certificates. You can tell which CA issued a certificate by clicking the padlock next to the site s URL or in the case of sites with Extended Validation SSL, the name of CA may be displayed in the address bar. The user can always tell which CA issued a certificate by clicking on the padlock next to the site s URL. Different types of SSL certificates offer different levels of site authentication: Entry-level Domain Validated SSL certificates. These SSL certificates only confirm that the person requesting the certificate is responsible for the domain being secure with the certificate. It does not validate the legitimacy of the entity itself. To issue a domain validated certificate a CA sends an email to an address associated with the administrator of the site. The administrator uses a link or authentication token in the email to validate their domain and their request for a certificate, and the SSL certificate is issued. However, this leaves little guarantee that the applicant is a valid business entity. Organization Authenticated SSL certificates. These SSL certificates validate the business entity that stands behind the website. Organization Authenticated SSL certificates will only be issued once the CA has verified the organization s validity and ownership, and that the applicant is authorized by the organization to request the certificate. Some browsers display a blue color in addition to the HTTPS for these types of certificates. Extended Validation (EV) certificates. This is the most visibly trustworthy form of SSL certificate. Extended Validation certificates require the strongest level of organization identity vetting. Only CAs who have passed independent audits are allowed to issue these types of certificates. This certificate also triggers the highly recognized green color and the additional security information in the browser address bar. How to Choose A Certificate Authority For Safer Web Security 5

How CAs Have Come Under Attack In recent years, several cases of CAs intermediaries infrastructure was not up to the task, leading to problems for their partners and, above all, for their customers. In one notorious incident, the CA itself was completely compromised, causing major browsers to revoke that CA s roots to render all certificates issued by that CA invalid and ultimately causing that CA to go out of business. When you choose your CA, you should look for a company that follows a holistic security approach that encompasses physical, logical, network and personnel security. In addition, you should look for a CA that takes the customer and site authentication process very seriously. If the authentication process is too easy, it doesn t provide much in the way of identity validation assurance. A CA s top business priorities should be: The continual hardening of the infrastructure that protects the cryptographic keys and system for issuing certificates Securing a rigorous authentication process that validates the identity of the certificate requester As we have seen in the past, insufficient CA security was to blame for allowing fraudulent certificates to be issued. In such cases, even genuine certificates had to be treated with suspicion, and in one case this caused an entire CA to shut down. Although price certainly plays a role in the purchasing process, as the multiple recent CA breaches have reminded us, price should be but one of many factors in selecting a CA. Several CAs have had to suspend issuing certificates because their systems were actually breached, or they were unable to confirm or deny claims of a successful attack. Similarly, a CA s certificates could be blacklisted by browser providers if the company does not offer strong enough encryption in its products. When evaluating a CA, it s worth considering the vendor s history of trust and security. What Measures Can a CA take to Promote trust In Its Certificates? Without rigorous and diligent upkeep of their security infrastructure, CAs put their customers and the web consumer community at risk. As recent attacks have demonstrated, a CA must keep its cryptographic keys secure. Doing so is an increasingly difficult task, and the ability of a CA to maintain absolute security is the most critical factor when choosing where to source your SSL certificates. Customers should only use a CA that has a strong track record of trustworthiness and employs measures including: Facilities that have been designed to withstand attacks Hardware monitoring and strong network security Biometrics-based security for the facilities, along with dual-access control for key systems Hardware-based systems for cryptographically signing certificates How to Choose A Certificate Authority For Safer Web Security 6

Ensuring dual control for the issuing of all certificates with the vendor s name on them Employing best practices for authenticating domain ownership Regular independent audits GeoTrust s Commitment to Security GeoTrust s core business is information security and we take the security of our own infrastructure very seriously. GeoTrust has invested in and built the most robust and scalable certificate authentication, issuance, management and hierarchy infrastructure in the industry. We believe that the security strength of our operations is an important part of the value our customers get when they buy their certificates from us. We are diligent about monitoring our networks and continuously work to ensure that our infrastructure remains the gold standard. The Gold Standard In Physical And network Security Persons fulfilling trusted roles must pass a comprehensive background check. We have a process in place to ensure employees undergo background checks at least every 5 years. We maintain and enforce control procedures to ensure the segregation of duties based on job responsibility and to ensure that multiple trusted persons are required to perform sensitive tasks. The physical construction of our Operations Center is comparable to Government grade protection of military and intelligence services communications. Our operations use a tiered approach to our physical environment comprised of 5 or more tiers with increasing levels of security. Individuals are granted selective access to tiers on only a need to know basis. The highest tiers require 2 or more authorized people to enter or remain. Use of video monitoring is employed throughout our Operations Center. We use a layered approach to our security architecture Layer 1: The Outside Firewall The Front-End (DMZ) behind the outside firewall Location of Web and outside mail servers Layer 2: The Inside Firewall The Back-End behind the inside firewall Location of the sensitive signing servers and certificate databases This architecture provides defense in depth, as an intruder must pass through or compromise 2 separate firewalls to reach the back-end. Every firewall logs events to disk Log files are reviewed daily Log files are retained for future forensic analysis Firewall logs are regularly reviewed for any unusual events How to Choose A Certificate Authority For Safer Web Security 7

We actively monitor our systems for any signs of intrusion on a 24x7x365 basis. Every component of our infrastructure is monitored for security compromises or attempted security compromises. In the event of a detected compromise, our monitoring system is able to notify the appropriate personnel for action. Notification is by multiple methods, such as e-mail alert, pager alert, and console monitoring. Logs are generated for: Routers, firewalls and network machines Database activities and events Transactions Operating systems Access Control Systems Mail servers Logs are archived and retained in a secure location for a minimum of 12 months. We also log the following significant events: CA key life cycle management events, including: Key generation, backup, storage, recovery, archival, and destruction Cryptographic device life cycle management events CA and Subscriber certificate life cycle management events, including: Certificate Applications, renewal, rekey, and revocation Successful or unsuccessful processing of requests Generation and issuance of Certificates and CRLs Security-related events including: Successful and unsuccessful PKI system access attempts PKI and security system actions performed by the CA personnel Security sensitive files or records read, written or deleted Security profile changes System crashes, hardware failures and other anomalies Firewall and router activity CA facility visitor entry/exit To ensure constant vigilance of security in the environment we constantly perform assessments. Daily vulnerability scans and audits are performed to ensure that adequate security measures are in place. The vulnerability scans are performed by trained individuals who understand the impact as well as assess the results. These scans are performed both internal and external to the network. Any findings of sufficient security vulnerability are remediated within 24 hours. White Hat Reality Check How to Choose A Certificate Authority For Safer Web Security 8

We also regularly perform penetration tests - a series of exercises performed from outside the system to determine if there are any exploitable openings or vulnerabilities in the network. In particular, it uses the known techniques and attacks of hackers to verify that the network is safe from unauthorized penetration. We employ an independent third party to conduct penetration tests on our network. The threat landscape is rapidly evolving as CA s come under increasing pressure from external attacks. Now, more than ever, it is critical to partner with a CA vendor who has network infrastructure security measures in place to defend itself, and your data from emerging cyber-threats. What Does the Future Hold? Criminals and state-sponsored hackers have figured out what website owners also need to realize: not all CAs are equal. Some CAs are more vulnerable than others, and it is becoming increasingly worthwhile for hackers to exploit that vulnerability. As cloud applications start to take over from traditional desktop programs, the mass of data that needs to be kept secure keeps growing and including new types of critical information. Your customer s trust is paramount, but a bad choice of CA could see your business risk the exposure of not only your customers, but also your own internal data, from mail and documents to spreadsheets and unified communications. Recent attacks have also revealed that hackers use a variety of means, big and small, to try to penetrate CAs systems. CAs must keep evolving to ensure they are ahead of the game, for their own sake as well as that of their clients. The CA you choose has to have an infrastructure that is up to the task, along with the means to act both proactively and reactively to any threat. Their security has to be extensive and varied. They have to have their eye on every link in the chain. The stakes are too high to settle for less. How to Choose A Certificate Authority For Safer Web Security 9

More Information Visit our website http://www.geotrust.com/ssl To speak with a Product Specialist in the U.S. Toll Free +1-866-511-4141 Tel +1-650-426-5010 Fax +1-650-237-8871 To speak with a Product Specialist outside the U.S. Australia and New Zealand +61 3 9914 5661 Japan - TEL : 03-5114-4776 UK - +44 203 0240907 DE - +44 203 0240907 FR - +44 203 0240907 ES - +44 203 0240907 About GeoTrust Speed. Reliability. Trust. All of GeoTrust s resources from authentication to customer support are devoted to making it fast and easy to deploy the best SSL security possible. That s why GeoTrust is one of the world s most trusted providers of SSL security solutions protecting more than a half million websites for more than 100,000 companies globally. With GeoTrust, maximum SSL security is as easy as Buy it. Install it. And move on to other tasks. www.geotrust.com CORPORATE HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE GeoTrust, Inc. 350 Ellis Street, Bldg. J Mountain View, CA 94043-2202, USA Toll Free +1-866-511-4141 Tel +1-650-426-5010 Fax +1-650-237-8871 enterprisesales@geotrust.com GeoTrust, Inc. 8th Floor Aldwych House 71-91 Aldwych London, WC2B 4HN, United Kingdom Tel +44.203.0240907 Fax +44.203.0240958 sales@geotrust.co.uk GeoTrust, Inc. 134 Moray Street South Melbourne VIC 3205 Australia sales@geotrustaustralia.com 2013 GeoTrust, Inc. All rights reserved. GeoTrust, the GeoTrust logo, the GeoTrust design, and other trademarks, service marks, and designs are registered or unregistered trademarks of GeoTrust, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are the property of their respective owners. UID: XXX/11/13 How to Choose A Certificate Authority For Safer Web Security 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information