A mum preparing a toddler for her first beach vacation and a seasoned kayaker preparing for Zambia’s whitewater rapid will not reach for the same life jacket. In the digital security world, the purposes and specifications of the various products are also greatly relevant to the consumer, although the differences between them may not be so immediately clear. But in both cases, it’s important that the client find the right fit. Whether you’re a business owner looking for the right SSL Certificate for your own website, online store, blog and etc or a web solutions provider looking to curate a solid SSL offering for your own clients, here’s what you should know about TLS/SSL Certificates and what to look for when choosing a certificate provider.
WHAT ARE TLS/SSL CERTIFICATES?
SSL is short-form for “Secure Sockets Layer,” and SSL Certificates are utilised to secure communications between a website, host, or server and the end users that are connecting to it (or between two machines in a client-server relationship). An SSL Certificate confirms the identity of the domain name (for example, SRICOMPTECHNOLOGIES.com) that is operating the website and enables encryption of all data between the server and the visitor to ensure the integrity of all the transmitted data.
WHY ARE TLS/SSL CERTIFICATES VERY IMPORTANT?
Identity theft and browser warnings are growing concerns among digital consumers. Failure to choose the right TLS/SSL Certificate for your website can erode client trust and lower your rate of completed transactions, negatively impacting your bottom line.
HOW DOES AN SSL ENCRYPTION WORKS?
Encryption makes use of keys to lock and unlock your data, meaning you need the right key to “open,” or decode, the secured data.
Each SSL Certificate comes with two keys:
- A public key, which is used to encrypt (scramble) the information.
- A private key, which is used to decrypt (unscramble) the information and restore it to its original format to make it readable.
(Image by Entrust Datacard)
WHERE ARE SSL CERTIFICATES USED?
SSL Certificates should be used in any instance where data needs to be transmitted securely. This includes:
- Communications between your website and your clients’ internet browsers.
- Internal communications on your corporate intranet.
- Email communications sent to and from your network (or private email address).
- Data between internal and external servers.
- Data sent and received from IoT and mobile devices.
DETERMINING IF A SITE HAS A VALID SSL CERTIFICATE
A website without an SSL Certificate displays “http://” before the address of a website in the browser address bar. This moniker stands for “Hypertext Transfer Protocol,” the conventional way to transmit data over the Internet. Most internet users are aware that this indicates a website is not secure and historically have looked for https:// and a closed padlock symbol in their browser window to confirm that they are on the site of an authenticated organisation:
However, it’s no longer sufficient for business websites to simply enable HTTPS and display the standard padlock symbol to their visitors. Online consumers are demanding assurance that the identity of the website they are visiting has been verified by authentication procedures that are proven to be highly trustworthy. And this assurance is provided in the form of an Extended Validation (EV) SSL Certificate. EV Certificates display a hard-to-miss green identifier in the browser address bar and indicate to the visitor that the website was subjected to extensive scrutiny by the issuing Certificate Authority. The consumer can be confident that they are at a secured and authorised website, not a phishing website.
That’s not to mean EV Certificate is necessary in every situation. But they can generate a higher level of consumer trust than other options, such Organization Validation (OV) Certificates, or Domain Validation (DV) Certificates, which undergo far less scrutiny.
CHOOSING BETWEEN DV, OV AND EV CERTIFICATES
Domain Validation (DV) SSL Certificates:
Domain Validation (DV) Certificates are best for small to medium-sized businesses looking cost-effective security with no need to establish site visitor trust. Issuance of a DV Certificate simply requires proof of ownership of the associated domain name, which is provided through a simple email validation process. These certificates can be issued in minutes, enable HTTPS, and display a clear indicator such as the padlock symbol, in internet browsers.
However, DV Certificates do not scrutinise the legitimacy of the organisation the website represents and should therefore not be used for e-commerce sites or sites that deal in sensitive data. They are, however, a great option for many internal sites, test servers, and test domains.
Organisation Validation (OV) SSL Certificates:
OV Certificates provide the same level of protection as DV Certificates but go one step further than simply requiring proof of domain name ownership. With an OV Certificate, the issuing Certificate Authority confirms the business associated with the domain name is registered and legitimate by checking details such as the business name, location and incorporation or registration information. This makes the OV Certificate a more suitable choice for public-facing websites that represent companies or organisations.
Extended Validation (EV) SSL Certificates:
EV Certificates provide the highest level of trust by assuring consumers that they are conducting business through a trusted and secured website. For this reason, these certificates have become the industry standard for e-commerce based websites. EV SSL Certificates trigger high-security web browsers to display a green address bar that includes the name of the company or organisation that owns the domain name. They also show the name of the issuing Certificate Authority:
Confirmation of the website’s identity and validation of the organisation is carried out according to the rigorous industry guidelines established by the CA/Browser Forum and involves a strict valuating process that is shown to be effective over the course of more than 10 years of real-world use.
EV SSL Certificates are vital for large businesses or e-commerce sites as they can increase credibility by showing discerning consumers that a prospective transaction is with a legitimate recipient and that the site is serious about protecting the data of its clients.
WHAT TO LOOK FOR WHEN SELECTING A CERTIFICATE AUTHORITY (CA)?
As the world’s largest commercial Certificate Authority, Comodo CA is proactively monitoring for potential threats and attacks, working hand-in-hand with government agencies, browser providers and our clients, to ensure it is keeping up with the ever-changing market.
When evaluating a CA, be sure that it:
1. Follows CA/B Forum Baseline Requirements.
This industry group consisting of Certificate Authorities and internet browser manufacturers developed standards that each CA must meet for its roots to remain trusted in browsers. These include:
- All data contained within the certificate must be validated to be true through a strict, clearly defined authentication process.
- Certificates must meet particular minimum levels of cryptographic strength to protect the integrity of the certificate and private key from evolving threats.
- Certificates must not exceed maximum specified durations.
- CAs must follow guidelines for CA security, certificate revocation mechanisms, audit requirements, liability, privacy and confidentiality, and delegation of authority.
2. Conducts Annual Audits – Both WebTrust and SOC 3
Annual audits are pivotal to CA security, yet not every CA makes them a prime concern. At a minimum, your CA should meet these auditing standards.
- Maintain membership in the WebTrust program for CAs:
The WebTrust for Certification Authorities program was developed to increase consumer confidence in the Internet as a vehicle for conducting e-commerce and to increase consumer confidence in the application of PKI technology. Comodo CA, for example, undergoes an annual audit from Ernst & Young, which validates that:- The Certification Authority (CA) discloses its SSL Certificate practices and procedures and its commitment to provide SSL Certificates in conformity with the applicable CA/Browser Forum Requirements.
- Subscriber data was properly collected, authenticated and verified.
- The integrity of keys and certificates is established and protected throughout their life cycles.
- Logical and physical access to CA systems and information is restricted to authorised individuals.
- The continuity of key and certificate management operations is maintained.
- CA systems development, maintenance and operations are properly authorised and performed to maintain CA systems integrity.
- The Certification Authority maintains effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum.
- Submit to publish an annual Service Organisation Control 3:
The SOC3 report is published to confirm that the security controls for this cloud service have been examined by an independent accountant. Again, as an example, Comodo CA undergoes an annual audit from Ernst and Young, to validate that Comodo CA has maintained effective controls over its system as it relates to four core principles: security availability, processing integrity and confidentiality.
TO SUM UP..
Trust is everything in the online business world. Investment in technology to secure clients and earn their trust is a critical success factor for any company that does business online or hosts an e-commerce website. The effective implementation of TLS/SSL Certificates is a proven tool to help establish client trust. Check out SRICOMP’s full inventory of Comodo SSL Certificates products.
Janarthanan Raju serves as Tech Lead at SRICOMP, helping businesses and companies easily create, manage and grow their endeavors online using internet marketing tools provided by SRICOMP.