SSL (or TLS) is Not the Problem – You Need the Right Certificate and a Reliable Certificate Provider

vpatel's picture

Recent situations of mis-issued certificates have created some confusion for consumers and web site owners– wondering if SSL is still a secure method for on-line transactions.  The answer is still yes, but the web site owner is on the hook to make the right choice when it comes to their SSL certificate.    

In the past, Web Site Administrators automatically focused their research on the basics: is the cert for internal use only or also external use, how will it be used, and what are the technical requirements.  While this focus is crucial to achieving correct functionality, Web Site Administrators and especially their managers are increasingly taking into account the all-important Trust Factor.

But first let’s review the basics.  There are three types of certificates established by the CA/Browser Forum industry organization that offer three different levels of validation: Domain Validated certificates, Organization Validated certificates, and Extended Validation certificates. 

Domain Validated certificates identifies the web site name.  This means the CA (Certification Authority) will verify the existence of the web site domain and that the certificate requestor has control of the web site domain.  The CA typically approves the certificate request via email or via an automated protocol.  It is important to note that the certificate is not identifying the actual organization that may control the domain.  Thus, Domain Validation certificates should only be used for situations where encrypted communication is the only concern and the identity of the organization that controls the web site does not need to be verified.  Not all Certification Authorities will issue Domain Validated certificates as a matter of policy.  As an example, we at HID Global do not offer these types of SSL certificates.

Moving up the line to Organization Validated certificates adds additional validation steps.  Typically the CA issuing these certificates performs vigorous validation of the requestor and the associated organization.  This includes third party validation, such as government-database stored Articles of Incorporation, and direct interaction with the requestor and the organization.  With an Organization Validated certificate, there is a confirmed link between the organization specified in the certificate and the web site protected by such certificate.  As such, Organization Validated certificates are appropriate for e-commerce web sites to provide peace of mind to the consumer that they are transacting with who they think they are. 

Extended Validation certificates require additional steps to achieve the highest level of validation.  These additional steps aim to establish such things as the organization is authorized to operate the website in a particular geographic jurisdiction, and that any individuals acting on behalf of the organization in acquiring the digital certificate have appropriate documentation signed by an authorized officer.  Leading browsers reward the end user and web site owner with a visual indicator (e.g. displaying organization name next to website address and/or a green bar) when the website is protected with an Extended Validation certificate.  As more web site visitors look for these visual indicators, there will be more pressure on Web Site Administrators and their managers to provide that additional level of validation and security.   

Of course it isn’t sufficient for Web Site Administrators and their managers to focus only on choosing the correct type of certificate for their web site functionality.  More and more they must consider the “Trust Factor” in choosing the right partner for securing their web sites with digital certificates.  If you are a manager of or are a Web Site Administrator in an organization in a regulated industry or provide services to government customers, your digital certificate provider must be above reproach in adhering to established standards, following best practices, and completing 3rd party audits.  Any doubts generated about a Certificate Authority in these areas will naturally generate doubts around the digital certificates and the web sites they secure.  In contrast, any CA that has consistently demonstrated the strictest adherence to established standards, following best practices, and has successfully withstood independent 3rd party scrutiny will enhance the ‘Trust’ and security of its customer’s websites. 

 

Want to learn more about HID Global’s leading digital certificate offering?  Visit https://www.identrustssl.com/.