Security Certificates

Security is a hot topic among website issues, as identity theft and other security concerns have become well-known. Having a security certificate on your website can

protect sensitive information that is transmitted across the internet and
reassure your visitors about your credibility -- that you are who you say you are

SSL (or TLS) Security Certificates

The most common type of secure transmission uses a Secure Sockets Layer (SSL) -- which is now officially called Transport Security Layer (TLS). SSL/TLS is an encoding scheme that prevents eavesdropping, tampering, and forgery of internet transmissions.

A critical piece of the SSL/TLS encoding scheme is the digital certificate. A digital certificate includes the domain name of the website server, the name of the certificate authority, and the server's public encryption key. The digital certificate plays several roles in securing transactions and reassuring the visitor.

Typically, a digital certificate can only authenticate one complete domain name -- excluding alternate subdomains. Wildcard certificates are the exception to this general rule and are generally priced accordingly.

To top

Encryption and the public/private key-pair

The most critical part of the digital certificate is the public encryption key. This, together with the private encryption key that is established at the issuing of the certificate, is the set of key codes used to establish a secure connection between the website server and the visiting browser/computer. Once the secure connection is established using the public/private encryption key-pair, then all data (e.g. passwords, credit card numbers, etc) transmitted between the two computers over the secure connection will be encrypted. Such encryption prevents others from eavesdropping on or tampering with the transmission.

Secure connections generally have https:// at the beginning of their URL, instead of the more common http:// . And most browsers also show a successfully encrypted page with some sort of icon of a locked padlock. Current industry standard is a 128/256-bit encryption level.

The private encryption key allows for unlocking your SSL transmission. You must keep it secret at all time.

To top

Ubiquity: Certificate Authority and Trusted Websites

The certificate authority (CA) is typically a third-party website owner that provides digital certificates (usually for a fee). The digital certificate includes the identity of the issuing certificate authority. With the CA's identity, the visiting internet browser will be able to check on the authenticity of the digital certificate. Checking with the CA is a step designed to prevent certificate forgeries.

If a particular CA is not already listed as "trusted" in a visitor's browser, a security precaution will popup asking if the browser should trust the designated CA. Most major internet browsers come pre-installed with a short list of trusted certificate authorities -- which allows websites affiliated with those CAs to bypass the manual security check. The user can add additional CAs to the trusted list (or remove them).

Since many users are put-off by the manual security check on an untrusted CA, digital certificates provided by pre-trusted CA's provide a measure of additional credibility and ease of use for most visitors. The CA's browser "ubiquity" refers to its prevelance as a pre-installed, trusted CA (high ubiquity meaning that the CA is commonly pre-installed -- and almost universally accepted).

Pre-trusted Certificate Authorities are listed at the following links:

Firefox/Mozilla: http://www.mozilla.org/projects/security/certs/included/
Safari:
Internet Explorer:

To top

Additional Levels of Authentication

In addition to providing for encryption of data transmissions, the digital certificate also serves to authenticate that the website in question is, in fact, owned by the company it claims to be. Thus, digital certificate vendors are responsible for validating a website owner's identity in some fashion before they issue a digital certificate.

A "self-signed" certificate involves generating your own certificate and serving as your own certificate authority.
Provides: technical requirements of the SSL transaction.
Issued: as needed
A "low assurance" or "domain validated" certificate simply involves checking the ownership (whois record) of your domain before activating certificate.
Provides: technical requirements of the SSL transaction; third-party confirmation of domain ownership.
Issued: instantly or in minutes
A "high assurance" or "standard" certificate involves both checking domain ownership and confirming the owner's identity through additional documentation and/or checks (such as phone records, D&B number, etc).
Provides: technical requirements of the SSL transaction; third-party confirmation of domain ownership; information about the validity of the business's real-life identity.
Issued: in hours or days
An "extended validation" (EV) certificate is a newer type certificate which purports to offer a higher standard of identity check -- including both domain ownership and the owner's business identity. Guidelines for issuing EV certificates are more clearly established, compared to standard (high assurance) certificates.
Provides: technical requirements of the SSL transaction; third-party confirmation of domain ownership; information about the validity of the business's real-life identity; visible credentialling (in EV compatible browsers) according to a more standardized process.
Issued: in days to weeks

Many vendors offer multiple certificate products, featuring (and charging for) different levels of authentication.

A self-signed certificate is generally adequate for internal transactions (e.g. webmail), but not advisable for most e-commerce.

Low assurance certificates provide adequate assurance of your identity to the many visitors who will not know to click through to see if the company's information is listed in the certificate. Many visitors know to look for the https:// and padlock icon, but go no further than that.

A high assurance certificate provides additional assurance to those visitors who know and bother to check the details. Meanwhile, the new extended validation certificates provide a more visible level of credentialling feedback -- if viewed in a newer EV compatible browser (e.g. IE7, Firefox3, etc).

Additionally, with many vendors provide special logos that can be displayed on the website, which may indicate an additional level of credibility.

As outlined above, the differences between these different kinds of certificates are less about technical specifications and more about issues in establishing a business's credibility. The standard 128/256 bit encryption of the data transmission is pretty standard across both brands and certificate levels. However, in terms of establishing credibility, the more historic certificate authorities (such as Verisign, Thawte, Geotrust, and Network Solutions) may have the best name recognition (and market share) in terms of selling consumer confidence.

To top

Choosing a Certificate Authority

Like any purchase, you should consider and balance several factors when choosing a certificate authority.

Encryption level - 128/256-bit encryption is standard. Some older browsers use 40-bit encryption.
Audience - Is your SSL transaction intended to reach internal audiences (e.g. webmail) or more public audiences (e.g. e-commerce)? How important is it for your certificate to enhance your credibility with this audience?
Trust - The goal of a SSL certificate is to prove your identity and therefore trust is an essential part of the transaction. You need a certificate authority that you and your visitors will be able to trust.
Ubiquity - Is the certificate authority recognized as "trusted" by most freshly installed internet browsers?
Cost - The cost to purchase a digital certicate varies widely, depending on vendor, validation level, and expiration period.
Ease of acquisition - Certificates that require more extensive identity validation will take longer to acquire.
Warranty - High warranty levels make for good talking points, but may be misleading. An SSL warranty is a warranty to the end user and applies only if (1) a certificate has been obtained by fraudulent means and (2) the end user loses money as a result of that fraud.
Expiration period - As unintuitive as it may seem, a shorter expiration for your digital certificate is actually safer. A longer renewal period gives unsavory types more time to attempt to crack your encryption.
Technical Support - Is tech support available by phone, email, online chat, etc?

To top

Precautions before purchasing

Make sure your domain's whois data is up to date. The validation process may involve calling the phone number listed in your whois data for authentication.
Your private encryption key will be used by your website server to decode encrypted conversations. It is very important to keep this encryption code secret.
More information:
www.sslshopper.com
http://www.whichssl.com/ (sponsored by a certificate vendor)

To top

Recommendations

We recommend www.sslshopper.com as a great price comparison tool. In choosing a SSL vendor, you should discern the right balance between price and customer assurance for your needs.

Free certificates:

StartSSL has medium ubiquity (trusted by Firefox/Mozilla and Safari, but not by Internet Explorer. CACert has low ubiquity, but may be useful for projects needing assurance slightly better than a self-signed certificate.

Inexpensive, high-ubiquity, low-assurance certificates:

GoDaddy - Standard SSL
GeoTrust - RapidSSL

GoDaddy offers rock bottom prices, but their growing brand recognition is associated with rock bottom prices, as well as controversial Super Bowl commercials. GeoTrust is a major player with good name recognition.

Inexpensive, high-ubiquity, high-assurance certificates:

GoDaddy - Deluxe SSL
Network Solutions - Sitesafe Basic

GoDaddy offers rock bottom prices, but their growing brand recognition is associated with rock bottom prices, as well as controversial Super Bowl commercials. Network Solutions has good name recognition.

Inexpensive, high-ubiquity, EV certificates:

Network Solutions - Sitesafe SSL EV

Best known brands for customer assurance:

Verisign - Premium SSL brand.
Thawte - Strong SSL brand (owned by Verisign!)
GeoTrust - Strong SSL brand. Many of their certificates use an Equifax certificate root, which may have better name recognition than Verisign among some audiences. (GeoTrust is owned by Verisign too!)
Network Solutions - Well-known and historic name in the domain name industry -- although security certificates are not their most well-known product.