Friday, 8 June 2012

How to obtain the highest assurance from SSL certificates

Secure Sockets Layer (SSL) is a transport level technology (protocol) for authentication and data encryption between a Web server and Web browser, ie sending documents around the Internet and the Web.

The protocol uses a third party, a Certificate Authority (CA), to identify one or both ends of the transactions involved. While there have been criticisms leveled against the protocol, it remains the only widely implemented and adopted standards-based security tool available to Web site and IT infrastructure operators.

A certificate issued by a CA means that a correlation has been established between a company's existence through its registration information and the information registered with the URL registration authority regarding the Internet domain of that company. In this situation, not only the names associated with the two entities are checked for accuracy and consistency with the relevant registration authorities, but also that the requester is employed by and authorized to apply for the certificate on behalf of the organization.

An Extended Validation (EV) certificate is an X.509 public key certificate issued according to a specific set of identity verification criteria. These criteria require extensive verification of the requesting entity's identity by the CA before a certificate is issued, and, for example, all the checks are validated by an external legal practitioner, and as well, more stringent verification measures are applied as dictated by the international CA Browser Forum.

“An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring Web site operators to undergo vetting with a Certificate Authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce 'domain validation only' SSL certificates for which minimal verification is performed of the details in the certificate,” commented Maherry.

“Most browsers' user interfaces did not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the Web site owner has been validated or not. As a result, fraudsters, including phishing Web sites, have started to use SSL to add perceived credibility to their Web sites.

“Thus, it is important that the CA utilized for the issuing of certificates is chosen very carefully,” continued Maherry. “Fortunately, that doesn't mean utilizing an overseas CA, as there are local companies, such as TheSSLStore, that can be chosen to issue these EV certificates on behalf of reputable public CAs such as Entrust. Also, the major versions of the various browsers recognize an EV certificate and change the top bar on these sites to 'green bar', so as to clearly indicate this more secure situation. This clear, visual indicator of trust is implemented so as to easily allow users to recognize a high assurance site. This can be especially important where people come to a site and rely on the information, eg the JSE Web site.

“In addition, it should also be remembered that SSL certificates are not only required for server-to-browser situations, but are needed for Outlook Webmail Access, Web-based VPN access and server-to-server mutual authentication. In many instances, a company may not be aware of all the numerous SSL certificate expiry dates that exist within its organisation, many of which may well be different. This potentially exposes an organisation to a significant business risk. Again, this situation needs to be handled appropriately, and managed by a Certificate Management System, which can report on the issued certificate base and order, renew, monitor and track SSL certificates. Certificate Discovery tools can also be implemented by solutions integrators such as ourselves, who can report and manage internally issued certificates as well as the SSL certificates issued from any third-party public Cas,” concluded Maherry.

No comments:

Post a Comment