Issuu on Google+

SSL Certificates: A Simple Solution to Website Security


SSL Certificates: A Simple Solution to Website Security

2

Secure Sockets Layer (SSL) Certificates, also known as digital certificates, assure you and your customers that your business website and transactional information entered there is encrypted, private, and protected. A properly acquired and installed SSL certificate confirms the legitimacy of your site and its ownership, as well as the security of the connection established between your site and your customer’s browser. The SSL certificate contains information about the owners of the website and the Certificate Authority that issued the certificate. Certificate Authorities (CA) are third-party verifiers that authorize and endorse the legitimacy of websites. The browsers will inherently trust an SSL certificate if it is current and is issued by a reputable CA. The process of verifying an authenticated Certificate and establishing secure communication is called “the handshake.” No confidential information is transmitted until the handshake is complete. If your business or organization conducts any kind of private and confidential communications involving sensitive information or transactions, those aspects should be protected by SSL Certificate security. There are many types of SSL Certificates. Depending on the level of security and authentication you require, you can choose from Self-Signed, Local, Domain Validated, Organizationally Validated, or Extended Validation. Each level of SSL requires a different type of authentication and offers different features. A site that is protected by an SSL Certificate provides a visual indication to you and your customers that security has been established and that it is safe to transact. The common indicators include the locked padlock symbol, the “https” prefix in the browser address bar, a site seal symbol displayed on the website, and with the Extended Validation Certificate, a green browser address bar. SSL Certificates are a simple, affordable and smart way to provide enhanced security and outside verification of a website’s security. Additional benefits include increased customer confidence, compliance with regulatory requirements, extra protection for your business reputation, and defense against possible penalties and criminal prosecution. Continue reading to learn more about the basics of SSL Certificates, how they work, why you need one, how to get one, and how they can increase customer confidence and online sales. What Is SSL and How Does It Work? Security – Essential to conducting business online and foremost in the minds of your customers, security is paramount. No one wants to get burned through an online transaction they assumed was safe. That’s why effective security must flow both ways. This two-way protection is at the heart of SSL security. SSL (Secure Sockets Layer) Certificates were created to vouch for site identity so that users can feel confident in their online transactions. These Certificates are issued to qualifying companies; and they indicate that a company is validated and is properly using SSL protocol. This security protocol (SSL) guarantees that information exchanged between two parties (client and server applications) is encrypted – or translated into code – and protected from outside observation or interception. Specifically, SSL works like this: When your customer requests a secure transaction – such as clicking on a “Buy” button on your website – both your server and your customer’s Web browser prioritize the establishment of security.

© 2009 Network Solutions, LLC

Network Solutions, 13861 Sunrise Valley Drive, Herndon VA 20171

networksolutions.com


SSL Certificates: A Simple Solution to Website Security

3

That “Buy” button, for instance, like all other calls for secure transactions, initiates a different type of URL (Web address). Instead of the familiar “http” prefix, secure transaction URLs begin with “https.” The “s” stands for “security.” In addition to the URL prefix, a closed SSL padlock also tells a user their transaction is secure. Your Web server, recognizing the https request from the browser, shifts all subsequent communications to a specific “port” (channel) recognized by both parties as a secure communications path. The customer’s browser will request that the server identify itself by sending an SSL certificate that guarantees the authenticity of the site and initiates secure, encrypted communications. The SSL certificate contains information about the owners of the website and about the Certificate Authority (CA) that issued the certificate. Certificate Authorities are third-party verifiers that authorize and endorse the legitimacy of websites. Browsers inherently trust an SSL certificate if it is current and is issued by a reputable CA, since trusted CAs will only issue certificates to websites after validating the legitimacy of that site. Next, the server and browser compare notes on the algorithms (mathematical tools) the browser uses to encrypt confidential information, such as account numbers used to make the purchase. After selecting the appropriate encryption algorithm, the browser and server implement the selected algorithm using a digital certificate key to “lock” and “unlock” all ensuing communications. This process is called “the handshake.” No confidential information is transmitted until the handshake is completed and absolute security is established. Once it is established, all further secure communications are translated into code before transmission and un-translated only after receipt, protecting the security of the confidential information.

Types of SSL Certificates A variety of SSL Certificates have been created for varying needs. Self-Signed or Local Certificates are generated by the owner of the server and do not involve third party Certificate Authorities. They do not offer the level of assured security that your customers expect and typically cause the browser to warn visitors not to trust the website. Third-party Certificate Authority (CA) verification of an SSL Certificate brings a far higher level of trust and assurance to the process; in fact, the leading CAs are recognized as trusted authorities by the browsers. That authority provides you and your customers with an essential “extra” layer of confidence in the transaction’s security. CA Validated Certificates Include: Domain Validated (DV) Certificates: The validation procedure is least rigorous for a Domain Validated Certificate. Before issuing a DV Certificate, the CA checks only that the applicant’s name and contact information matches the registration information in the WHOIS database for the domain name associated with the SSL Certificate. DV Certificates are a good choice for businesses whose customers and employees will not be transmitting sensitive data, have a trusted user base, or intend to use the certificate on internal servers only such as email or intranets. Organizationally Validated (OV) Certificates: CAs issue OV Certificates only after verifying the legitimacy of the applicant’s business. That verification includes checking business credentials (Articles

© 2009 Network Solutions, LLC

Network Solutions, 13861 Sunrise Valley Drive, Herndon VA 20171

networksolutions.com


SSL Certificates: A Simple Solution to Website Security

4

of Incorporation and so on) as well as the legitimacy of the business’s Web and physical addresses. For businesses accepting credit cards and processing other sensitive information, OV Certificates are a good choice. Extended Validation (EV) Certificates: EVs provide a validation process that employs industry-wide standards established by leading CAs and browser developers. EV Certificates are available to all business and government entities, but are not available to individuals. The EV application process is more rigorous and detailed than for any other Certificate. With an EV in place, certain features alert users to sites with appropriate and acceptable security levels – for example, the browser navigation bar in Internet Explorer® 7 turns green. In addition to SSL indicators such as the locked padlock, https prefix, and green address bar (for EV), most CAs provide customers with images or “Seals” to place on their websites. When clicked on, these Seals provide information confirming the authorized status of the site in question. For organizations that do not have a need to sell or transact online, some CAs offer a stand-alone “site confirm seal.” This site seal simply validates a website to show it is a legitimate business but does not include encryption capabilities.

How Do Your Customers Know Their Information Is Secure? Fortunately for all involved, the handshake, Certificate exchange and verification, and the encryption/decryption processes take place quickly and invisibly behind the scenes. However, essential visual cues will tell you and your customers that security has been established: The Padlock: When engaged in a secure transaction online, your browser will display a locked padlock symbol, a quick visual reassurance that the communications are, indeed, secure and encrypted. Clicking on the padlock reveals the CA, confirms the Web address, name of the business and additional details such as the certificate expiration date. HTTPS: In addition to the address beginning with https, browsers often indicate secure communications in the browser’s address bar (the space where URLs are entered and displayed) by displaying a color to indicate the security status of a website. (With Extended Validation – see above – the address bar turns green in some browsers.) Site Seal: Certificate Authorities typically offer Site Seals with their Certificates as visual symbols assuring that the site and transactions are protected and secure. Businesses display these symbols prominently on their websites to promote the fact that their site is validated and safe. Who Needs an SSL Certificate? If your organization – whether a business, investment club, or organization that collects dues, etc. – conducts any sort of private and confidential communications involving sensitive information or transactions, those aspects should be protected by SSL Certificate security. Specific examples include: Ecommerce: Credit card, shipping address, social security number and other confidential information should always be protected by an SSL Certificate. Business Accounts: If your business or service encourages customers and clients to establish passwordprotected accounts – e.g., for private consultations or forums – those activities should take place behind SSL security.

© 2009 Network Solutions, LLC

Network Solutions, 13861 Sunrise Valley Drive, Herndon VA 20171

networksolutions.com


SSL Certificates: A Simple Solution to Website Security

5

Financial Advice and Information: While banks and other financial institutions should obviously adhere to SSL Certificate use, other types of financial institutions that do not enact transactions nonetheless require transaction-level SSL security. Insurance firms, accounting and tax services, financial advisers, and so on, should use SSL Certificate protection if clients are providing sensitive information in online forms. Healthcare and Related Services: In addition to protecting the privacy of clients and/or patients, healthcare professionals and healthcare services are subject to strict privacy compliance rules. Compliance regulations extend to human resource departments handling health insurance claims and information. Any health-related information transmitted via the Web should be SSL protected. Extranets: As with business accounts, extranets and other online meeting places where business information and materials can be viewed – a new ad campaign, for example, or schematics for a new product – should be SSL secure. Bear in mind that for you and your customers and clients, original creative material has value that should be protected. Intranets: Because large amounts of confidential and sensitive information move inside a company, among departments and between employees, as well as beyond its borders, intranets dealing in such materials should be SSL protected.

How Do I Get an SSL Certificate For My Business? The following steps are involved in acquiring an SSL Certificate. Fortunately, CAs can simplify the process. Preliminary steps and questions you should consider include: 1. Decide which level of certification best suits your business: DV: for businesses that do not process transactions or other sensitive and confidential information, have a trusted user base, or intend to use the certificate on internal servers only such as email or intranets. OV: for most businesses this is the appropriate Certificate, verifying that your site is secure, and that transactions are encrypted and safe. EV: for government entities, legal corporations, general partnerships, sole proprietors and unincorporated associations who want to provide their customers with the highest levels of trust and assurance. 2. Choose a CA that is established, respected and reliable. Make sure your CA has a well-documented industry track record. Legitimate CAs will display a current “WebTrust” Certification Seal on their websites. WebTrust Certification Seals indicate that the CA has passed an audit assuring that the services provided by the CA meet the WebTrust program’s principles and criteria. 3. Be sure your CA offers Certificates that work with the most common versions of all major browsers: if your CA doesn’t recognize certain browsers, customers using those browsers will receive a message that implies that your site isn’t secure. 4. Select a CA that can provide validation quickly, efficiently and economically. Most basic certification information should be able to be processed online; for DV and OV Certificates, processing should not take more than two to three business days (and in some cases, far less time.)

© 2009 Network Solutions, LLC

Network Solutions, 13861 Sunrise Valley Drive, Herndon VA 20171

networksolutions.com


SSL Certificates: A Simple Solution to Website Security

6

5. Select a CA that offers around-the-clock, 365-day reliability and technical support; your CA should be available all the time – just as your online business is. 6. Select a relationship with your CA that includes ongoing support and ample notification of renewal dates. Renewal takes little time (see page 9), so your CA should permit you to apply for renewal before your existing Certificate expires. Once you’ve selected a CA, the actual validation process begins.

SSL Lifecycle The following stages in the life of an SSL Certificate relate primarily to OV Certificates. (DV Certificates involve a less rigorous authentication process, while EV Certificates require more information from the applicant.) For OV Certificates the lifecycle spans these stages:

1.Application and Validation Your application to a CA will be reviewed at several levels: Matching the account holder (applicant) information to the WHOIS database to ensure accuracy for the domain name covered by the SSL Certificate Reviewing your business credentials, including business licenses, Dun & Bradstreet listing, and so on: If further information is required, you may be contacted directly Telephoning your business to insure that the application is legitimate and that the person who initiated the application has the authority to do so Requesting further information or denying the application as a result of discrepancies and inaccuracies in the documentation Once your information is validated and approved, issuing and installing the SSL Certificate

2. SSL Installation After your business has been validated, the Certificate installation process begins. If you are a Network Solutions® Web Hosting customer, installation is automatic and will be performed by your account manager. Otherwise, you will receive your Certificate by download from a secure server. (Network Solutions® employs secure server downloads for Certificate delivery; some CAs deliver their Certificates by email.) After receiving the Certificate, you will be guided through the process of installing it and related Certificates that build the chain of trust that ensures accurate validation on your server.

3. SSL Reissue Occasionally an SSL Certificate must be reissued. Causes for reissue can include: If you move your business to a new server If you change the server’s software If you change the name, address or other significant information about your business If you change Web host service providers

© 2009 Network Solutions, LLC

Network Solutions, 13861 Sunrise Valley Drive, Herndon VA 20171

networksolutions.com


SSL Certificates: A Simple Solution to Website Security

7

If you lose or otherwise compromise your private key and, as a result, plan to revoke your Certificate If you accidentally delete the private key and cannot reinstall it Under most circumstances, Network Solutions does not charge for SSL Certificate reissue. Other CAs may have different reissue policies. In some instances, the CA may require you to verify the information that you have changed prior to reissuing your SSL Certificate.

4. SSL Revocation As noted above, there may be circumstances that prompt you to revoke your business’s SSL Certificate, including lost or compromised private keys, a change in the nature of business making SSL certification no longer necessary, and so on. Less frequently, the CA may choose to revoke an SSL Certificate after discovering inaccuracies or improprieties in the application or other abuses of the SSL Certificate. Revocation is permanent; it cannot be reversed.

5. SSL Renewal SSL Certificates are issued for periods typically ranging from one to four years. Once that period ends, the Certificate expires, and browsers encountering the Certificate warn customers that the SSL Certificate is no longer valid. Renewal of your SSL Certificate is essentially the same process as the original application. Information submitted to the CA is fully reviewed and validated before the new SSL Certificate is issued. The new Certificate must then be installed, and the old one deleted by the customer or the Web hosting service provider if that provider is also a CA. Because the SSL renewal process takes a small amount of time, it’s best to make the renewal application in advance of the actual expiration to ensure that your SSL Certificate stays in place without interruption. (Some CAs will append any remaining time on your existing Certificate to the period of the new one, eliminating penalties for early renewal.)

SSL Certificate Benefits While the obvious benefits of SSL Certificates include enhanced security, outside verification of website authenticity, etc., those benefits themselves can generate additional business value: Increased Customer Confidence: Customers who know about SSL security and who can see on-screen that your business employs SSL Certificates will gain an immediate sense of confidence. That confidence and trust can translate into increased sales. Protecting Your Customers Also Protects Your Business: Protecting against hackers and online criminals is about more than guarding your customers’ security. It also protects your business from, at best, having its reputation tarnished and, at worst, subjecting you to penalties and even criminal prosecution.

© 2009 Network Solutions, LLC

Network Solutions, 13861 Sunrise Valley Drive, Herndon VA 20171

networksolutions.com


SSL Certificates: A Simple Solution to Website Security

8

Regulatory Compliance: Many federal and state regulations, as well as financial industry standards, require businesses and institutions to provide security both for customer transactions and customer information. Among the compliance regulations: Gramm-Leach-Bliley Act of 1999: While primarily concerned with banking regulation, this act also requires that all confidential information be securely encrypted during all transmissions. Health Insurance Portability and Accountability Act (HIPAA): requires that healthcare professionals employ strong encryption procedures when transmitting confidential patient information. Payment Card Industry Data Security Standard (PCIDSS): This industry standard establishes data encryption standards for transmission of credit card and other transaction information; it also addresses encryption standards for wireless networks. These are only three of the growing number of compliance and regulatory standards for encrypting confidential information. While you should check with your attorney or a compliance specialist to determine which regulations apply to your business, you should also be aware that the most effective and successful businesses treat customer security as a responsibility as well as a requirement.

An Unacceptable Risk In today’s high-threat online environment, operating a business without the protection, confidence and reliability of SSL Certificate authentication is risky. It’s also irresponsible and, as shown above, may be illegal under any number of compliance regulations. Data breaches, identity theft, phishing scams and other incidents of compromised customer information are too common for comfort. These security breaches result in compromised customer data, ruined business reputations, or class action lawsuits for failing to provide easily acquired and implemented security procedures. Whether a case involves millions of customer records, such as a department store security breech, or is a single incident of a small business “losing” a customer’s data, the situation is inexcusable, the more so for being so easily avoidable. Adding an SSL Certificate to your website is simple, affordable and smart. It not only protects your customers, it protects your business and can result in higher sales conversions. Security: You owe it to your customers – and your business.

About Network Solutions® Network Solutions, a leading provider of Web solutions and the pioneer of the domain name registration service, draws on decades of experience to make it quick and affordable for customers to build and manage an online presence. Our full range of Web-related services includes: Web hosting Web design E-commerce software Search Engine Marketing SSL Certificates E-mail services Domain name registration For more information, please visit www.networksolutions.com or call 1-877-438-8599.

© 2009 Network Solutions, LLC

Network Solutions, 13861 Sunrise Valley Drive, Herndon VA 20171

networksolutions.com


WebSiteSecurityWithSSLCertificates[1]