Quality SSL by BitEngines
Nellikevaenget 12
2625 Vallens baek
Denmark
Email: support@qualityssl.com
WWW: http://www.qualitys sl.com/
漏 2002 BitEngines. All Rights Reserved.
�Introduction Who can issue SSL Certificates?
Today, online commerce is worth an estimated US$1 trillion SSL Certificates can be issued by anybody by using freely
and continues to grow at a substantial rate. One of the key available software such as Open SSL or Microsoft鈥檚
success factors for e-commerce has been the Certificate Services manager. Such SSL Certificates are
implementation of highly available security technology into known as 鈥渟elf-signed鈥? Certificates. However, self-signed
browsers and web servers 鈥? in particular SSL. SSL (Secure SSL Certificates are not inherently trusted by customer鈥檚
Sockets Layer) is the transaction security protocol used by browsers and whilst they can still be used for encryption,
hundreds of thousands of websites to protect online will cause browsers to display 鈥渨arning messages鈥? 鈥?
commerce. informing the user that the Certificate has not been issued
by an entity the user has chosen to trust.
The widespread use of SSL has invariably encouraged
online commerce and helped it rise to its current levels. As a
result our Internet economy has come to depend on SSL as
a security and trust infrastructure, but what does the little
yellow padlock really mean to the user? More than some
SSL Providers would have you believe鈥?
Since the SSL protocol was released by Netscape as a
security technology in 1996 consumers have been educated
to look for the SSL padlock before passing any critical
details over the Internet. Technically, the SSL protocol
provides an encrypted link between two parties, however in
the eyes of the consumer, seeing the SSL padlock in their
browser mean much more:
That they have a secure (encrypted) link with the
脽
website
Warning message IE users will see from a self-signed SSL
That the website displaying the padlock is a valid and
脽
Certificate
legitimate organization or an accountable legal entity
As well as ensuring that their details remain secure during a
transaction, consumers also care whether the website they
are dealing with is legitimate. In order to solve the critical
issue of identity assurance as well as information security
on the Internet, the efforts of SSL Providers (Certification
Authorities), consumer magazines and industry bodies,
have rightly resulted in the SSL padlock becoming
synonymous with trust and integrity 鈥? factors consumers
associate with being legitimate.
This paper examines how we use SSL commercially and the
importance of how good validation processes play a critical
part in the preservation of a trusted e-commerce
infrastructure.
Warning message Netscape users will see from a self-signed SSL
Certificate
What is SSL?
Such warnings are undesirable for commercial sites 鈥? they
will drive away customers. In order to avoid such warnings
Secure Sockets Layer, SSL, is the standard security
the SSL Certificate must be issued by a 鈥渢rusted certifying
technology for creating an encrypted link between a web
authority鈥? - trusted third party Certificate Authorities that
server and a browser. This link ensures that all data passed
make available 鈥渢rusted鈥? SSL Certificates.
between the web server and browser remains private and
integral. SSL is an industry standard and is used by millions
of websites in the protection of their online transactions with
their customers. In order to be able to generate an SSL link,
a web server requires an SSL Certificate.
Page 2 of 5
� validated entities, consumers now expect such website
Who is a trusted certifying authority?
identity assurances. Market education through the
consumer press and industry bodies have also added to
Browsers and Operating Systems come with a pre-installed
people鈥檚 perception of the SSL padlock as indicating a
list of trusted Certification Authorities, known as the Trusted
secure and authentic site.
Root CA store. As Microsoft and Netscape provide the
major operating systems and browsers, they have elected
As a result of their 鈥渢rusted鈥? status, Certification Authorities
whether to include the Certification Authority into the
have a responsibility to ensure they only ever issue SSL
Trusted Root CA store, thereby giving trusted status.
Certificates to legitimate companies. This may only be
achieved by employing stringent validation processes to
ensure issuance practices only allow the SSL Certificate to
be issued to a legitimate company. After all, anyone
relying on presence of an SSL Certificate will do so not
just for the encryption factor, but also to indicate the
legitimacy of the site.
Whether they realize it or not, consumers dictate that
Certification Authorities have a duty to perform satisfactory
validation for all SSL Certificate applicants. If validation is
weak, consumer confidence in SSL Certificates will be
undermined. Gartner has recently examined the
consequences of weak validation in their report 鈥淪ecure
Sockets 鈥? sometimes isn鈥檛鈥?, and that consumer web-based
commerce could be dramatically inhibited.
All SSL Certificates are Not equal!
The Microsoft trusted root CA store The value of SSL is protected by the strength of a
standard two-point validation process:
Step 1: Verify that the applicant owns, or has legal
脽
right to use, the domain name featured in the
application.
Step 2: Verify that the applicant is a legitimate and
脽
legally accountable entity.
The compromise of either step endangers the message of
trust and legitimacy provided to the end consumer.
Companies such as GeoTrust, through its QuickSSL and
FreeSSL products, and IPSCA, the Spanish SSL Provider,
The Netscape trusted root CA store
perform only the first stage of the two-step validation
SSL certificates issued by trusted Certification Authorities do process (as employed by all other SSL Providers) by only
not display a warning and establish a secure link between verifying that the applicant owns the domain name
website and browser transparently. In such circumstances, provided during Certificate application. This validation step
the padlock signifies the user has an encrypted link with a relies on the use of Domain Name Registrar details to
company who has been issued a trusted SSL Certificate validate ownership of a domain name and then a
from a trusted Certificate Authority. challenge email is sent to the listed administrator of the
domain name. If the challenge is met with a successful
reply, the Certificate will be issued.
What does a Certification Authority do
before issuing a trusted SSL Certificate? Anybody who has purchased a domain name knows that
when completing the ownership details, any company,
The SSL protocol did not originally include the provision of organisation or person can be the named owner 鈥? these
business identity within the SSL Certificate, however due to records are not validated! So by relying solely on such
the fact that the first Certificate Authorities, for example records, potentially untrustworthy information is being
Verisign, has a policy of only issuing SSL Certificates to trusted. Bizarrely, GeoTrust even refer to this cut-down
Page 3 of 5
�domain-control authentication process as being stronger The dangers of weak validation
than traditional two step validation 鈥? which includes both
domain name ownership validation step and the added step Companies using weakly validated Certificates risk losing
of business legitimacy verification. the trust of customers who rely on such Certificates when
they discover the Certificate stands for 鈥渆ncryption鈥? only.
To protect themselves, GeoTrust insert the term Without the assurance that the company behind the site is
鈥淥rganization Not Validated鈥? into the issued Certificate. This legitimate, the customer will go elsewhere to conduct their
term is visible to all customers visiting the website using the business. Can a company really afford to lose customers
issued SSL Certificate. Whilst the term no doubt protects simply because of their choice of SSL provider?
GeoTrust from any potential legal recourse, it also means
that a website鈥檚 customer gains little comfort in the Only by choosing a strongly validated SSL Certificate from
trustworthiness of the site 鈥? after all as far as the customer a provider who performs two-step validation processes
is concerned the Organization has NOT been validated! can the user expectations of SSL be realised, and
ultimately preserved. Consumers have long associated
Trusted certificates are more than just SSL with more than just encryption. Yet, by removing
sufficient validation, the Certificate Authority is not fulfilling
encryption!
its responsibilities to deliver the trust in a 鈥渢rusted
certificate鈥?.
If a website is only interested in providing encryption to
its visitors it can do so by using a free self-signed
In an environment where trust goes hand in hand with
Certificates 鈥? there is no need to pay a Certification
commercial success, removing validation from the very
Authority for a trusted SSL Certificate.
products used to provide such trust is not only dangerous
but also poses a long term threat to the Internet economy.
The 鈥渘ot trusted鈥? warning message will even let the
customer know that whilst the website can provide
SSL Providers retailing non-validated Certificates will often
encryption, it does not provide trust.
attempt to sell a 鈥淭rust鈥? only product. The downside to this
exercise is that websites are forced to purchase both an
Without sufficient validation processes, SSL Certificates are
SSL Certificate and a Trust product just to gain both
simply encryption certificates. Such Certification Authorities
encryption and trust functionality, whereas a fully validated
are trusted by browsers for a reason 鈥? to provide trustworthy
SSL Certificate can already provide both.
certificates. Conducting only weak validation undermines
why a Certificate Authority must be a trusted entity and begs
QualitySSL, like Verisign, Thawte, Baltimore and Entrust,
the question of why should companies should pay for an
is serious about the validation employed in SSL Certificate
untrustworthy certificate that consumers, through no fault of
applications. If you wish to maintain the trust of your
their own, inadvertently trust?
customers, we strongly believe that you should be serious
about validation too.
In their white papers on SSL, GeoTrust strongly publicize
that SSL is NOT for trust and only for encryption and
consequently use the argument to justify their lack of
business legitimacy validation. However, if SSL is for
encryption only why is there a need to display 鈥淥rganization
Not Validated鈥? in their SSL Certificates?
The presence of this warning message is effectively
admitting that the consumer, e.g. the party relying on the
SSL Certificate, does not inherently know that the SSL
Certificate is for encryption only and should not be relied on
for business legitimacy. In other words, the consumer must
be told that the SSL Certificate does not provide the trust
they believed it ordinarily would have.
By displaying the 鈥淥rganization Not Validated鈥? message,
GeoTrust is trying to remove the current association of
business legitimacy with SSL. As this message is
embedded into the Certificate, where all but expert users will
be able to find it, consumers are in danger of inherently
misinterpreting the intended usage of such Certificates.
Page 4 of 5
�What an SSL Certificate should tell the site鈥檚
visitors
QualitySSL is at the forefront of providing fully qualified SSL Certificates.
Digital Signature legislation is catching up to how digital certificates are
used commercially and appreciates that applications such as SSL mean
much more in commercial terms than just encryption. The EU Directive
on Digital Signatures is considered by many to be a milestone in how
online identities and transactions are being aligned in legal terms with
their physical world counterparts.
Part of the directive covers 鈥淨ualified Certificates鈥? 鈥? digital certificates
that have been issued to validated entities, and whose identities are
contained within the certificate itself.
QualitySSL Certificates contain the following critical identification
information within the SSL Certificate:
Website:
Common Name 鈥? the fully qualified domain name for which the SSL
脽
http://www.qualityssl.com/
Certificate is to be used
Organization Name
脽
Organization Unit
脽
Contact Us:
Street Address
脽
City / Town
脽
Quality SSL by BitEngines
State / Province
脽 Nellikevaenget 12
Zip / Postal Code
脽 2625 Vallens baek
Denmark
Country
脽
Email:support@qualityssl.com
All the above information is validated by QualitySSL, ensuring customers
receive their Certificate quickly, but without the risks associated with
weak validation. This places QualitySSL at the forefront in delivering
SSL Certificates that comply with legislation even before it becomes law
to do so!
QualitySSL 鈥? trusted SSL Certivicates at cost
effective prices!
QualitySSL is the only SSL Provider to offer responsible companies the
option to opt for fully validated and highly trusted SSL certificates at cost
effective prices. With the availability of QualitySSL, there is no longer
any need to opt for more expensive non-validated, untrustworthy
encryption only SSL certificates.
Page 5 of 5
�
|