WHITE PAPER How to Choose A Certificate Authority For Safer Web Security How to Choose A Certificate Authority For Safer Web Security 1
How to Choose A Certificate Authority For Safer Web Security Contents How to Choose A Certificate Authority For Safer Web Security... 3 The Role of Certificate Authorities... 3 Why Do Sites need to Be trusted?... 3 How Do People Using the Internet Know When to trust A Site?... 3 What Is A CA And What Are the Different types of SSL Certificates?... 4 How CAs Have Come Under Attack... 6 What Measures Can a CA take to Promote trust In Its Certificates? 6 GeoTrust s Commitment to Security... 7 The Gold Standard In Physical And network Security... 7 White Hat Reality Check... 9 What Does the Future Hold?... 9 More Information...10 How to Choose A Certificate Authority For Safer Web Security 2
How to Choose A Certificate Authority For Safer Web Security The Role of Certificate Authorities Why Do Sites need to Be trusted? As use of the Internet has become increasingly commonplace and crucial to a wide range of applications, criminals have found an ever-growing group of people they can target. Criminals are exploiting Internet users in many ways, including: using social engineering, bogus links, spam and phishing to direct people to fraudulent websites that resemble the sites that they frequently use. setting up websites to be malicious destinations. hijacking user accounts and information by intercepting the data shared between people and websites through man-in-the-middle attacks such as the well-known Firesheep plug-in. fooling people into consciously or unconsciously giving up confidential details that can then be used for fraudulent purposes. putting malware onto a user s computer that quietly turns the machine into a tool for further crime. spoofing a domain, which may allow a criminal to impersonate someone sending email from that domain or spying on their conversations. This is not just a consumer problem businesses internal email systems can be compromised in this way too, opening them up to industrial espionage. Apart from hurting users, this activity is detrimental to the brand of the real site being spoofed. Trust is harmed when the user no longer feels safe. How Do People Using the Internet Know When to trust A Site? Fortunately, people are becoming increasingly savvy about the need to trust the sites they are visiting. They may not know the explicit details of the threats they face when dealing with malicious or compromised websites, but they are aware that there are ways to establish trustworthiness, including: Padlock icon: The most common sign that a site is more trustworthy than others coincides with the use of https rather than http as the prefix to the page s web address and a padlock icon. Green address bar: More recently, users have become aware that the highlighting of part of the address bar denotes even greater security. How to Choose A Certificate Authority For Safer Web Security 3
Behind the scenes, the https is an indicator that the page is being viewed using a secure connection to the site owner s servers. HTTP Secure (HTTPS) combines the standard HTTP protocol with the Secure Sockets Layer (SSL) protocol, and its use shows that the site s servers have been authenticated using an SSL certificate. HTTPS also shows that the data shared between people and the site will be encrypted during transit, to protect it from being seen or intercepted by eavesdroppers. The coloring of the first piece of the address bar shows that the site s owner has gone a step further and offered themselves up for extensive organization vetting and authentication procedures, to prove the organization behind the site is who they say they are. By doing so, they will have gained an Extended Validation (EV) SSL certificate that the browser can recognize, leading to the special green coloring and the display of more information than usual about the site s operator and the CA who authenticated the site. The green address bar shows the name of the business verified to use this website address and means that this web page is secure. How to Choose A Certificate Authority For Safer Web Security 4
What Is A CA And What Are the Different types of SSL Certificates? The Certificate Authority (CA) is an organization that issues SSL and EV SSL certificates. You can tell which CA issued a certificate by clicking the padlock next to the site s URL or in the case of sites with Extended Validation SSL, the name of CA may be displayed in the address bar. The user can always tell which CA issued a certificate by clicking on the padlock next to the site s URL. Different types of SSL certificates offer different levels of site authentication: Entry-level Domain Validated SSL certificates. These SSL certificates only confirm that the person requesting the certificate is responsible for the domain being secure with the certificate. It does not validate the legitimacy of the entity itself. To issue a domain validated certificate a CA sends an email to an address associated with the administrator of the site. The administrator uses a link or authentication token in the email to validate their domain and their request for a certificate, and the SSL certificate is issued. However, this leaves little guarantee that the applicant is a valid business entity. Organization Authenticated SSL certificates. These SSL certificates validate the business entity that stands behind the website. Organization Authenticated SSL certificates will only be issued once the CA has verified the organization s validity and ownership, and that the applicant is authorized by the organization to request the certificate. Some browsers display a blue color in addition to the HTTPS for these types of certificates. Extended Validation (EV) certificates. This is the most visibly trustworthy form of SSL certificate. Extended Validation certificates require the strongest level of organization identity vetting. Only CAs who have passed independent audits are allowed to issue these types of certificates. This certificate also triggers the highly recognized green color and the additional security information in the browser address bar. How to Choose A Certificate Authority For Safer Web Security 5
How CAs Have Come Under Attack In recent years, several cases of CAs intermediaries infrastructure was not up to the task, leading to problems for their partners and, above all, for their customers. In one notorious incident, the CA itself was completely compromised, causing major browsers to revoke that CA s roots to render all certificates issued by that CA invalid and ultimately causing that CA to go out of business. When you choose your CA, you should look for a company that follows a holistic security approach that encompasses physical, logical, network and personnel security. In addition, you should look for a CA that takes the customer and site authentication process very seriously. If the authentication process is too easy, it doesn t provide much in the way of identity validation assurance. A CA s top business priorities should be: The continual hardening of the infrastructure that protects the cryptographic keys and system for issuing certificates Securing a rigorous authentication process that validates the identity of the certificate requester As we have seen in the past, insufficient CA security was to blame for allowing fraudulent certificates to be issued. In such cases, even genuine certificates had to be treated with suspicion, and in one case this caused an entire CA to shut down. Although price certainly plays a role in the purchasing process, as the multiple recent CA breaches have reminded us, price should be but one of many factors in selecting a CA. Several CAs have had to suspend issuing certificates because their systems were actually breached, or they were unable to confirm or deny claims of a successful attack. Similarly, a CA s certificates could be blacklisted by browser providers if the company does not offer strong enough encryption in its products. When evaluating a CA, it s worth considering the vendor s history of trust and security. What Measures Can a CA take to Promote trust In Its Certificates? Without rigorous and diligent upkeep of their security infrastructure, CAs put their customers and the web consumer community at risk. As recent attacks have demonstrated, a CA must keep its cryptographic keys secure. Doing so is an increasingly difficult task, and the ability of a CA to maintain absolute security is the most critical factor when choosing where to source your SSL certificates. Customers should only use a CA that has a strong track record of trustworthiness and employs measures including: Facilities that have been designed to withstand attacks Hardware monitoring and strong network security Biometrics-based security for the facilities, along with dual-access control for key systems Hardware-based systems for cryptographically signing certificates How to Choose A Certificate Authority For Safer Web Security 6
Ensuring dual control for the issuing of all certificates with the vendor s name on them Employing best practices for authenticating domain ownership Regular independent audits GeoTrust s Commitment to Security GeoTrust s core business is information security and we take the security of our own infrastructure very seriously. GeoTrust has invested in and built the most robust and scalable certificate authentication, issuance, management and hierarchy infrastructure in the industry. We believe that the security strength of our operations is an important part of the value our customers get when they buy their certificates from us. We are diligent about monitoring our networks and continuously work to ensure that our infrastructure remains the gold standard. The Gold Standard In Physical And network Security Persons fulfilling trusted roles must pass a comprehensive background check. We have a process in place to ensure employees undergo background checks at least every 5 years. We maintain and enforce control procedures to ensure the segregation of duties based on job responsibility and to ensure that multiple trusted persons are required to perform sensitive tasks. The physical construction of our Operations Center is comparable to Government grade protection of military and intelligence services communications. Our operations use a tiered approach to our physical environment comprised of 5 or more tiers with increasing levels of security. Individuals are granted selective access to tiers on only a need to know basis. The highest tiers require 2 or more authorized people to enter or remain. Use of video monitoring is employed throughout our Operations Center. We use a layered approach to our security architecture Layer 1: The Outside Firewall The Front-End (DMZ) behind the outside firewall Location of Web and outside mail servers Layer 2: The Inside Firewall The Back-End behind the inside firewall Location of the sensitive signing servers and certificate databases This architecture provides defense in depth, as an intruder must pass through or compromise 2 separate firewalls to reach the back-end. Every firewall logs events to disk Log files are reviewed daily Log files are retained for future forensic analysis Firewall logs are regularly reviewed for any unusual events How to Choose A Certificate Authority For Safer Web Security 7
We actively monitor our systems for any signs of intrusion on a 24x7x365 basis. Every component of our infrastructure is monitored for security compromises or attempted security compromises. In the event of a detected compromise, our monitoring system is able to notify the appropriate personnel for action. Notification is by multiple methods, such as e-mail alert, pager alert, and console monitoring. Logs are generated for: Routers, firewalls and network machines Database activities and events Transactions Operating systems Access Control Systems Mail servers Logs are archived and retained in a secure location for a minimum of 12 months. We also log the following significant events: CA key life cycle management events, including: Key generation, backup, storage, recovery, archival, and destruction Cryptographic device life cycle management events CA and Subscriber certificate life cycle management events, including: Certificate Applications, renewal, rekey, and revocation Successful or unsuccessful processing of requests Generation and issuance of Certificates and CRLs Security-related events including: Successful and unsuccessful PKI system access attempts PKI and security system actions performed by the CA personnel Security sensitive files or records read, written or deleted Security profile changes System crashes, hardware failures and other anomalies Firewall and router activity CA facility visitor entry/exit To ensure constant vigilance of security in the environment we constantly perform assessments. Daily vulnerability scans and audits are performed to ensure that adequate security measures are in place. The vulnerability scans are performed by trained individuals who understand the impact as well as assess the results. These scans are performed both internal and external to the network. Any findings of sufficient security vulnerability are remediated within 24 hours. White Hat Reality Check How to Choose A Certificate Authority For Safer Web Security 8
We also regularly perform penetration tests - a series of exercises performed from outside the system to determine if there are any exploitable openings or vulnerabilities in the network. In particular, it uses the known techniques and attacks of hackers to verify that the network is safe from unauthorized penetration. We employ an independent third party to conduct penetration tests on our network. The threat landscape is rapidly evolving as CA s come under increasing pressure from external attacks. Now, more than ever, it is critical to partner with a CA vendor who has network infrastructure security measures in place to defend itself, and your data from emerging cyber-threats. What Does the Future Hold? Criminals and state-sponsored hackers have figured out what website owners also need to realize: not all CAs are equal. Some CAs are more vulnerable than others, and it is becoming increasingly worthwhile for hackers to exploit that vulnerability. As cloud applications start to take over from traditional desktop programs, the mass of data that needs to be kept secure keeps growing and including new types of critical information. Your customer s trust is paramount, but a bad choice of CA could see your business risk the exposure of not only your customers, but also your own internal data, from mail and documents to spreadsheets and unified communications. Recent attacks have also revealed that hackers use a variety of means, big and small, to try to penetrate CAs systems. CAs must keep evolving to ensure they are ahead of the game, for their own sake as well as that of their clients. The CA you choose has to have an infrastructure that is up to the task, along with the means to act both proactively and reactively to any threat. Their security has to be extensive and varied. They have to have their eye on every link in the chain. The stakes are too high to settle for less. How to Choose A Certificate Authority For Safer Web Security 9
More Information Visit our website http://www.geotrust.com/ssl To speak with a Product Specialist in the U.S. Toll Free +1-866-511-4141 Tel +1-650-426-5010 Fax +1-650-237-8871 To speak with a Product Specialist outside the U.S. Australia and New Zealand +61 3 9914 5661 Japan - TEL : 03-5114-4776 UK - +44 203 0240907 DE - +44 203 0240907 FR - +44 203 0240907 ES - +44 203 0240907 About GeoTrust Speed. Reliability. Trust. All of GeoTrust s resources from authentication to customer support are devoted to making it fast and easy to deploy the best SSL security possible. That s why GeoTrust is one of the world s most trusted providers of SSL security solutions protecting more than a half million websites for more than 100,000 companies globally. With GeoTrust, maximum SSL security is as easy as Buy it. Install it. And move on to other tasks. www.geotrust.com CORPORATE HEADQUARTERS EMEA SALES OFFICE APAC SALES OFFICE GeoTrust, Inc. 350 Ellis Street, Bldg. J Mountain View, CA 94043-2202, USA Toll Free +1-866-511-4141 Tel +1-650-426-5010 Fax +1-650-237-8871 enterprisesales@geotrust.com GeoTrust, Inc. 8th Floor Aldwych House 71-91 Aldwych London, WC2B 4HN, United Kingdom Tel +44.203.0240907 Fax +44.203.0240958 sales@geotrust.co.uk GeoTrust, Inc. 134 Moray Street South Melbourne VIC 3205 Australia sales@geotrustaustralia.com 2013 GeoTrust, Inc. All rights reserved. GeoTrust, the GeoTrust logo, the GeoTrust design, and other trademarks, service marks, and designs are registered or unregistered trademarks of GeoTrust, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are the property of their respective owners. UID: XXX/11/13 How to Choose A Certificate Authority For Safer Web Security 10