A Certificate Authority issues digital certificates that contain a public key and the identity of the owner. The matching private key is not available publicly, but kept secret by the end user who generated the key pair. The certificate is also a confirmation or validation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CA’s obligation in such schemes is to verify an applicant’s credentials, so that users and relying parties can trust the information in the CA’s certificates. CAs use a variety of standards and tests to do so. In essence, the Certificate Authority is responsible for saying, “yes, this person is who they say they are, and we, the CA, verify that”.
If the user trusts the CA and can verify the CA’s signature, then he can also verify that a certain public key does indeed belong to whoever is identified in the certificate.
Not all Certificate Authorities are created equal
For businesses considering a choice of CA providers, it is important to remember that your choice does in fact matter. Not all SSL certificates are issued equally and businesses should consider the level and rigor of authentication and security that goes into the SSL certificates in which you place the trust of your brand and your customers. Organizations should ensure that CA’s publish their policies and undergo routine audit to ensure a secure infrastructure. Regrettably, there is no minimum standard within the current SSL certificate market. Although price certainly plays a significant role in the purchasing process, as the multiple CA breaches this year have reminded us, we suggest price should be but one of many factors in selecting a CA. When evaluating a CA we urge you to take into account the following considerations:
- Diligence of the security used by the CA to protect cryptographic keys
- Specifically designed hardened facilities to defend against attack
- Hardware-based cryptographic signature systems
- Regular third party audits
- Thorough network security and antimalware defense
- Enforcement of dual control certificate issuance used by the vendor
- Use of authentication/registration best practices to identify ownership
- Documented CA employee background investigations to protect against insider threat
- Strong history of the vendor’s trust and security
For consumers, it is important to know that SSL remains the most effective method of secure web data transmission. It is equally critical to remain aware of who is behind the security of the web site you are doing business. Are they reputable? Do they have a proven record of accomplishment for issuance of certificates? Do they have a robust infrastructure in place to prevent these types of attacks? Further protect yourself online, know what to look for:
- Updated browser software to obtain the latest set of valid root keys
- Watch for the green address bar provided by Extended Validation (EV) SSL for extra protection
- Look out for a recognized trust mark such as the Secured Seal.
- Keep an eye out for the ‘s’ in “https” in the URL to indicate a secure environment
Watch for the padlock to verify who has signed the SSL certificate, and ensure that you recognize the CA.
At the end of the day, it is important for the community to understand that there is nothing inherently broken with SSL, it is really just about CA’s and businesses doing the right thing and ensuring that consumer information remains secure. CA’s that follow established best practices for securing private keys, along with vigilant enforcement of stringent authentication practices are critical components in keeping the Internet a safe environment for all.
Below Certificate Authorities, which are provides Trusted SSL Certificates.
RapidSSL is an internet security specialist, focused on providing small/medium businesses with strong 128 / 256-Bit encryption, industry standard SSL Certificates. RapidSSL® is dedicated to being the lowest cost provider of SSL to the entry-level marketplace and offers a number of SSL Certificate brands.
GeoTrust is the world’s second largest digital certificate provider, and a leader in a wide variety of Identity and Trust services. GeoTrust’s comprehensive array of technologies enables organizations of all sizes to secure e-business transactions cost effectively.
Thawte has a history that gives a uniquely cosmopolitan view of business – one that reflects a truly international perspective. The focus of Thawte® remains on extending a trusted relationship on the internet to anyone, anywhere, as his commitment to the egalitarian ethos of the internet.
VeriSign continues to lead the SSL Certificate industry as a member of the CA/Browser Forum, a standards making body focused on High Assurance SSL Certificates. SGC enabled SSL Certificates provide 128 – 256 Bit encryption to over 99.9% of web site visitors, including the tens of millions who use certain older versions of Microsoft® Windows and Internet Explorer.