Subscribe
  • Home
  • /
  • TechForum
  • /
  • How to obtain the highest assurance from SSL certificates

How to obtain the highest assurance from SSL certificates

By Maeson Maherry, Solutions Director at LAWtrust.

By Maeson Maherry for LAWTrust
Johannesburg, 30 May 2012

Secure Sockets Layer (SSL) is a transport level technology (protocol) for authentication and data encryption between a Web server and Web browser, ie sending documents around the Internet and the Web.

The protocol uses a third party, a Certificate Authority (CA), to identify one or both ends of the transactions involved. While there have been criticisms levelled against the protocol, it remains the only widely implemented and adopted standards-based security tool available to Web site and IT infrastructure operators. However, certificates issued by a CA are not necessarily all equal in status, says Maeson Maherry, solutions director at LAWtrust.

A certificate issued by a CA means that a correlation has been established between a company's existence through its registration information and the information registered with the URL registration authority regarding the Internet domain of that company. In this situation, not only the names associated with the two entities are checked for accuracy and consistency with the relevant registration authorities, but also that the requestor is employed by and authorised to apply for the certificate on behalf of the organisation.

An Extended Validation (EV) certificate is an X.509 public key certificate issued according to a specific set of identity verification criteria. These criteria require extensive verification of the requesting entity's identity by the CA before a certificate is issued, and, for example, all the checks are validated by an external legal practitioner, and as well, more stringent verification measures are applied as dictated by the international CA Browser Forum.

“An important motivation for using digital certificates with SSL was to add trust to online transactions by requiring Web site operators to undergo vetting with a Certificate Authority (CA) in order to get an SSL certificate. However, commercial pressures have led some CAs to introduce 'domain validation only' SSL certificates for which minimal verification is performed of the details in the certificate,” commented Maherry.

“Most browsers' user interfaces did not clearly differentiate between low-validation certificates and those that have undergone more rigorous vetting. Since any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the Web site owner has been validated or not. As a result, fraudsters, including phishing Web sites, have started to use SSL to add perceived credibility to their Web sites.

“Thus, it is important that the CA utilised for the issuing of certificates is chosen very carefully,” continued Maherry. “Fortunately, that doesn't mean utilising an overseas CA, as there are local companies, such as LAWtrust, that can be chosen to issue these EV certificates on behalf of reputable public CAs such as Entrust. Also, the major versions of the various browsers recognise an EV certificate and change the top bar on these sites to 'green bar', so as to clearly indicate this more secure situation. This clear, visual indicator of trust is implemented so as to easily allow users to recognise a high assurance site. This can be especially important where people come to a site and rely on the information, eg the JSE Web site.

“In addition, it should also be remembered that SSL certificates are not only required for server-to-browser situations, but are needed for Outlook Webmail Access, Web-based VPN access and server-to-server mutual authentication. In many instances, a company may not be aware of all the numerous SSL certificate expiry dates that exist within its organisation, many of which may well be different. This potentially exposes an organisation to a significant business risk. Again, this situation needs to be handled appropriately, and managed by a Certificate Management System, which can report on the issued certificate base and order, renew, monitor and track SSL certificates. Certificate Discovery tools can also be implemented by solutions integrators such as ourselves, who can report and manage internally issued certificates as well as the SSL certificates issued from any third-party public Cas,” concluded Maherry.

For further information, please contact Christi Peens; tel. (012) 676 9240; fax (012) 665 3997; e-mail christi@lawtrust.co.za.

Share

LAWtrust

LAWtrust is a specialist IT application security integrator and developer, assisting organisations to create trust in their information and transactional systems, which will enable real business to be done securely and efficiently. LAWtrust, a member of the LAW Holdings Group, is the security partner of choice for organisations in the areas of cryptographic-based security such as digital certificates, PKI, digital signing, encryption, integrity and non-repudiation.

LAWtrust has become the first accredited Authentication Service Provider in South Africa, under the requirements of the ECT Act of 2002, for the provision of Advanced Electronic Signatures. Accredited Advanced Electronic Signatures (AeSigns) are the only signatures that are deemed by law to have been valid and applied correctly by the signatory. These high assurance signatures are the equivalent of a handwritten signature verified to be true by a handwriting expert and thus can be relied on implicitly in all forms of transactions, approvals, contracts and certified copies.

LAWtrust is rated as a level 2 contributor BBBEE company and includes customers in both the public and private sectors such as the largest departments in central government and the 'Big Six' banks.

Editorial contacts

Paul Booth
Global Research Partners
(082) 568 1179
pabooth@mweb.co.za
Christi Peens
LawTrust
(012) 676 9240
christi@lawtrust.co.za