VAIOWEB Displaying the thawte Trusted Site Seal on your website

In a world of risk, know who to trust

The Facts About SSL

There are many Certification Authorities (CAs) currently offering digital certificates, each with various certificate products. For the first time user of digital certificates it is often difficult to make an informed purchase decision. Equally, experienced users may not have a full understanding of certain finer points relating to the products that are available on the market.

We in partnership with Thawte aim to provide impartial advice on how to approach the purchase of SSL certificates while at the same time clarifying certain issues relating to the product and industry which are often misunderstood. Our hope is that you find the information provided of assistance in making the right purchase for your business and security needs.

1. When do you need to use a digital certificate?

Securing transmission of financial information in ecommerce is currently the major application of SSL certificates. However, with incidence of identity theft on the rise, protection of personally identifiable information is becoming ever more important. This category of data would include identity and social security numbers, as well as e-mail addresses.

So, if you are handling financial transactions on your web site, there is no question that SSL certificates are required. If you are managing sensitive customer data, the use of SSL certificates is worth serious consideration - especially if customer/member security and privacy is high on your list of priorities.

2. Why use a digital certificate?

There are two main reasons why you should make use of a digital certificate:

1. To prove your company’s (or your server’s) identity online and in so doing create a sense of trust and confidence in using your web site.

2. To offer protection of the data submitted to your web site (or between servers) through the use of encryption. Should any information be intercepted, it will be unintelligible without the unique key used for decryption.

When evaluating a certificate product, make sure it delivers on each of these requirements.

3. What level of authentication does the certificate offer?

In securing your web site with a digital certificate, your main aim is to provide proof of your online identity and in so doing establish a relationship of trust with those with whom you wish to interact online. This is where authentication comes into play as the most important element of a digital certificate.

Authentication provides users with proof that:

1. your company is a bona fide real world company.

2. they are connecting to the correct server

A certificate’s level of authentication may be seen as an indication of its quality - the higher the level of authentication provided, the greater the quality of the certificate. It is therefore important to understand that the various digital certificates available each differ in level of authentication depending on the issuing CA or even the specific product.

Some CAs perform only very basic authentication prior to issuing a certificate while others conduct extensive checks to ensure the identity of the applying organization. The following are the various authentication checks that are performed by CAs:

Domain lookup to confirm that applying company owns domain.

Check existence of company to confirm that it is a legally registered organization.

Verification of identity of individual requesting certificate to confirm that they are an authorized representative.

All CAs performs one or more of these authentication checks. The result is a range of products of greatly differing levels of quality. It is important to note that the more authentication checks performed the better the quality of the certificate. So make sure you determine exactly what authentication checks are performed before purchasing.

4. What does it mean to be WebTrust compliant?

A number of CAs have achieved WebTrust compliance mainly as it is now a Microsoft requirement that a CA complete a WebTrust for Certification Authorities audit, in order to have their root certificates included in Windows XP / Internet Explorer. But it is important to understand exactly what this certification implies. WebTrust does not set standards for CAs, nor does it monitor or regulate any existing standards.

WebTrust compliance tells you nothing about the quality of the authentication on offer - it merely confirms that the CA in question adheres to their own stated policies and procedures for authentication. What this means is that WebTrust compliance unfortunately does not provide a useful basis for comparison between CAs.

5. What is the strength of a certificate? (what is SGC technology)

The encryption strength of a digital certificate is determined by the level of encryption supported by the browser used to connect to a web site and the server where the web site resides. This means that users may connect at 40-bit, 56-bit or 128-bit depending on the browser version they are using.

Most digital certificates function in this way - providing encryption at a strength supported by the browser and server. It is important to understand this distinction as many CAs promote their certificates as 128-bit when in fact they will support sessions of varying encryption strength (128-bit being the strongest possible level of encryption).

In the past, legislation of the United States government prevented the export of 128-bit encryption technology. The result of this was the creation of the so called “export” browser versions which were restricted to 40-bit and 56-bit encryption capabilities. These browsers were distributed outside of the United States for many years and were even downloaded by US based users. In 1997, the US government repealed its ban on 128-bit encryption. Today however, there are still significant numbers of export version browsers in use, mainly internationally but also in the United States.

Digital certificates have been developed that provide 128-bit encryption for browsers which are defaulted to 40-bit or 56-bit encryption - the so called “export” browser versions which include IE 5.01 and Netscape 4.7x and later . These certificates include technology known as Server Gated Cryptography (SGC) which automatically steps-up these browsers to the 128-bit encryption level. Only a handful of CAs supply these certificates, so if you require the 128-bit encryption step-up capability, make sure you ask for SGC technology

6. How can you benefit from SGC-enabled SSL certificates?

With thawte’s SGC SuperCert certificates e-commerce companies can provide increased security for both their customers and themselves. In doing so companies using SGC will improve their brand security, thereby building trust with their customers.

Tests conducted by the Yankee Group have shown that millions of internet users still use older versions of Windows 2000 (without Service Pack 4 or the high-encryption pack), which results in millions of internet users connecting to SSL enabled sites with weak, vulnerable 40 and 56-bit encryption rates, placing themselves and many vendors’ brands, at great risk. These same users can automatically gain full-strength 128-bit encryption, the minimum recommended level of encryption for financial transactions, when conducting business with SGC-enabled websites.

According to the Yankee Group, wide-scale deployment of SGC-enabled SSL certificates, such as thawte’s SGC SuperCert, would reduce the actual number of users exposed by weaker encryption dramatically and make it possible for virtually every internet user to automatically be stepped up to 128-bit.

256-bit encryption can be achieved if the user’s browser capability and the cipher suite installed on the web server are both 256-bit compatible.

7. What is the product for you?

There are various factors which will influence your choice of digital certificate.

Firstly, you need to consider the sensitivity of data that is to be secured. It makes sense that highly confidential personal and financial as well as critical business information demand the highest levels of authentication and encryption. Alternatively, some may argue that there are other applications that do not require these stringent security measures. The bottom line is that you need to categorize the various types of data you manage according to their importance to your business and select a digital certificate for the task at hand.

In certain countries there is now legislation which governs the level of encryption required for data protection. This type of legislation is normally developed for data intensive industries where security and privacy is a major concern such as financial services or health care. Typically, companies are required to guarantee that they protect data with 128-bit encryption - a requirement which determines the use of a specific type of digital certificate. In this case digital certificates which are able to step-up to 128-bit encryption are the product of choice.

Geographic location of your customer/user base is also an important consideration. The reason for this is that certain older browser versions which still exist in significant numbers internationally do not automatically support 128-bit encryption, only 40-bit and 56-bit. Typically, these are the so-called “export” browsers which where made available outside of the United States for many years. It is also worth noting that users in the United States have also downloaded these export browsers from non-US websites. So, if you are conducting business online outside of the US and 128-bit encryption is important to you, step-up SGC technology is essential.

Lastly, it is worthwhile considering the duration of the project in question. Most certificates are available in one or two-year versions (or longer). If your project is planned for a longer duration, it makes sense to consider the two-year certificate option as this not only allows you to benefit from the cost savings frequently offered on these products, but also provides the added benefit of increasing convenience by reducing the frequency of engineering and admin work associated with installation during certificate renewal.

8. Can you get the after sales technical support you need?

Depending on your level of experience in working with digital certificates, you may require assistance at various stages throughout the life cycle of the product, from the initial request for a certificate to installation, renewal and possible re-issuance of a certificate if required.

Be sure to assess the support capabilities of the CAs you consider. Try to look beyond the initial sales process as it is the more unforeseen circumstances such as server migration where competent support is always the most valuable.

9. What is the track-record of the CA?

In business it is always sensible to purchase from proven, established vendors - even more so in today’s high tech industry. This is especially important when purchasing security products such as digital certificates where using a trusted CA is essential for doing effective business online.

The CAs track record may provide you with some answers to other questions discussed here. For instance, the longer a CA has been in business, the more experienced and better developed their support infrastructure is likely to be.

10. Are you dealing with a root CA?

There are two types of CAs - Root CAs and Chained CAs. Root CAs have the roots for their certificates installed in the major browsers, while Chained CAs issue their certificates off a Root CAs root.

The reason for the existence of Chained CAs relates to the issue of certificate compatibility with the various browser types and versions currently used. CAs which have been in existence for longer period of time have been able to include their roots in each browser type and version that has been released over the years. Subsequently, their certificate-browser compatibility is extremely high. Newer CAs are not able to achieve this level of compatibility as they are only able to include their roots in recent browser releases and the only way for them to obtain the desired level of compatibility is to issue certificates signed with the root of a CA which already has the desired level of compatibility (this is known as “Chaining”).

The main drawback of using a Chained CAs is that they do not own, and therefore, do not control the root used to issue their certificates. From a certificate customers’ perspective this may lead to potential problems as their certificates are vulnerable and may be rendered invalid should the terms of the chaining agreement break down or be affected by a change in ownership of the root.