How to choose a Certificate Authority for safer web security White paper

White paper
How to choose a
Certificate Authority
for safer web security
How to choose a Certificate Authority for safer web security
Executive summary
Trust is the cornerstone of the web. Without it, no website or online service can succeed in the competitive online
marketplace.
Systems are in place that help domain owners demonstrate to their users that they are trustworthy, and that their website
or service does what it should. However, these systems have come under increasing attack.
2011 has seen a spate of breaches that have targeted the systems of Certificate Authorities (CAs), the companies
that prove websites and services are secure and safe to use. Some of these attacks have undermined the trusting
relationship between users and even well-known online brands.
The changing security landscape has demonstrated that not all CAs are created equal, and choosing the right CA is
critical to running and maintaining a safe and trusted online business.
This white paper looks at the role of CAs in web security, including what measures a CA can take to promote
trust in its certificates and the criteria to consider when choosing the best CA for the job.
2
How to choose a Certificate Authority for safer web security
The role of certificate authorities
Why do sites need to be trusted?
As use of the internet has become increasingly commonplace and crucial to a wide range of applications, criminals have
found themselves with an ever-growing group of people they can target. Criminals are exploiting internet users in many
ways, including:
•
Using social engineering, bogus links and other means to direct people to sites that resemble those they
frequently use.
•
Fooling people into consciously or unconsciously giving up confidential details that can then be used for
fraudulent purposes.
•
Putting malware onto a user’s computer that quietly turns the machine into a tool for further crime.
•
Spoofing a domain, which may allow a criminal to impersonate someone sending email from that domain or
spying on their conversations. This is not just a consumer problem – businesses’ internal email systems can be
compromised in this way too, opening them up to industrial espionage.
Apart from hurting users, this activity is detrimental to the brand of the real site being spoofed. Trust is harmed when the
user no longer feels safe.
How do people using the internet know when to trust a site?
Fortunately, people are becoming increasingly savvy about the need to trust the sites they are visiting. They may not
know the explicit details of the threats they face when
dealing with malicious or compromised websites,
but they are aware that there are ways to establish
trustworthiness, including:
•
Padlock icon: The most common sign that a site
is more trustworthy than others coincides with the
use of “https” rather than “http” as the prefix to
the page’s web address.
•
Green address bar: More recently, users will
have become aware that the highlighting of part of
the address bar denotes even greater security.
Behind the scenes, the “https” is an indicator that the
The green address bar shows the name of the business verified to
use this website address and means that this web page is secure.
page is being viewed using a secure connection to the
site owner’s servers. HTTP Secure (HTTPS) combines
the standard HTTP protocol with the Secure Sockets Layer (SSL) protocol, and its use shows that the site’s servers have
been authenticated using an SSL certificate.
The colouring of the first piece of the address bar shows that the site’s owner has gone a step further and offered
themselves up for extensive vetting and authentication procedures, to prove the site is what it says it is. By doing so,
they will have gained an Extended Validation (EV) SSL certificate that the browser can recognise, leading to the special
3
How to choose a Certificate Authority for safer web security
colouring and the display of more information than usual about the site’s operators.
What is a CA and how do certificates work?
The Certificate Authority (CA) is the organisation that issues SSL and EV SSL certificates. The user can always tell which
CA issued a certificate by clicking on the padlock next to the site’s URL.
SSL certificates are based on private and public keys that are used to establish a secure connection between the user’s
computer and the site’s servers. They effectively prove that the signed public
key associated with a site really does belong to the site’s owner. The CA signs
the public key using its own private key, making the reliability of the CA (as a
protector of that private key) essential to the reliability of the public keys they
validate.
When someone visits a site with an SSL certificate, the user’s browser and the
site’s server need to ‘shake hands’ to kick off the session. The browser begins
by requesting a certificate. Once it receives and verifies this, it generates
a piece of code called a master key, and encrypts it using the public key
associated with the certificate. It then sends the encrypted master key back to
the site’s server. As that server has the private key underlying the public key, it
can decrypt the master key, which it then uses to authenticate a message that it
sends back to the client. The ‘handshake’ is now complete, and the two parties
begin a trusted session.
The user can always tell which CA issued a certificate
by clicking on the padlock next to the site’s URL.
There are different types of SSL certificate that offer varying levels of security:
•
Entry-level “Domain Validated” SSL certificates. The CA sends an email to an address associated with the
administrator of the site. The administrator uses a link or authentication token in the email to validate their domain,
and the SSL certificate is issued. However, this leaves little guarantee that the applicant is a valid business entity.
•
Fully-authenticated SSL certificates. The next step up in validating the business entity will only be issued
once the CA has verified the business’s validity and ownership, and that the applicant is authorised to request the
certificate.
•
Extended Validation (EV) certificates. This is the most visibly trustworthy form of SSL certificate. It tells the user
not only that the certificate was issued after heavy vetting, but also that the CA issuing the certificate has itself been
independently audited.
Extended Validation was introduced for a reason: in the real world, not all SSL certificates are equally trustworthy. There
are no minimum standards for SSL certificates and there are many smaller CAs or registration authorities that resell root
certificates from the larger CAs at relatively cheap prices. It is with some of these intermediaries that problems have
begun to arise.
4
How to choose a Certificate Authority for safer web security
How CAs have come under attack
2011 has seen an alarming series of CA breaches. No one has been able to compromise the systems of the most
robust CAs, suggesting that you often get what you pay for with CAs. In several cases, the security of intermediaries’
infrastructure was not up to the task, leading to problems for their partners and, above all, for their customers.
A CA’s top business priorities should be:
•
•
The continual hardening of the infrastructure that protects the cryptographic keys
Securing the authentication process that validates identity
As we have seen this year, bogus certificates and insufficient CA security have been to blame for exposing SSL-encrypted
traffic. In such cases, even genuine certificates from that issuer must be treated with suspicion, and this can cause an
entire CA to shut down.
There is no minimum standard within the current SSL certificate market. Although price certainly plays a significant role
in the purchasing process, as the multiple CA breaches this year have reminded us, price should be but one of many
factors in selecting a CA.
When evaluating a CA, it’s worth considering the vendor’s history of trust and security. This year, several CAs had to
suspend issuing certificates because their systems were actually breached, or they were unable to confirm or deny
claims of a successful attack.
Similarly, a CA’s certificates could be blacklisted by browser providers if the company does not offer strong enough
encryption in its products.
What measures can a CA take to promote trust in its certificates?
Without rigorous and diligent upkeep of the security infrastructure surrounding Certificate Authorities, CAs put their
customers and the web consumer community at-large at risk. As recent attacks have demonstrated, a CA must keep its
cryptographic keys secure. Doing so is an increasingly difficult task, and the ability of a CA to maintain absolute security
is the most critical factor when choosing where to source your SSL certificates.
Customers should only use a CA that has a strong track record of trustworthiness and employs measures including:
•
•
•
•
•
•
•
Facilities that have been designed to withstand attacks
Hardware monitoring and strong network security
Biometrics-based security for the facilities, along with dual-access control for key systems
Hardware-based systems for cryptographically signing certificates
Ensuring dual control for the issuing of all certificates with the vendor’s name on them
Employing best practices for authenticating domain ownership
Regular independent audits
5
How to choose a Certificate Authority for safer web security
What does the future hold?
Criminals and state-sponsored hackers have figured out what website owners also need to realise: not all CAs are
equal. Some CAs are more vulnerable than others, and it is becoming increasingly worthwhile for hackers to exploit that
vulnerability.
As cloud applications start to take over from traditional desktop programs, the mass of data that needs to be kept
secure keeps growing and including new types of critical information. Your customer’s trust is paramount, but a bad
choice of CA could see your business risk the exposure of not only your customers, but also your own internal data, from
mail and documents to spreadsheets and unified communications.
Recent attacks have also revealed that hackers use a variety of means, big and small, to try to penetrate CAs’ systems.
CAs must keep evolving to ensure they are ahead of the game, for their own sake as well as that of their clients.
The CA you choose has to have an infrastructure that is up to the task, along with the means to act both proactively and
reactively to any threat. Their security has to be extensive and varied. They have to have their eye on every link in the
chain. The stakes are too high to settle for less.
More information
Visit our website
www.verisign.co.uk
To speak with a product specialist
Call 0800 032 2101 or +44 (0) 208 6000 740
About Symantec
Symantec is a global leader in providing security, storage and systems management solutions to help consumers and
organisations secure and manage their information-driven world. Our software and services protect against more risks at
more points, more completely and efficiently, enabling confidence wherever information is used or stored.
Symantec World Headquarters
350 Brook Drive, GreenPark
Reading, Berkshire
RG2 6UH, United Kingdom
Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and VeriSign Authentication are trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
6