General FAQ

EV Certificate FAQ

Content Verification FAQ

Server Install FAQ

Code Signing FAQ

Trust Logo FAQ

HackerGuardian FAQ

HackerGuardian Help

Why Strong Validation Processes for SSL are Essential for the Preservation of Trust in the Internet Economy

Introduction

Today, online commerce is worth an estimated US$1 trillion and continues to grow at a substantial rate. One of the key success factors for e-commerce has been the implementation of highly available security technology into browsers and web servers - in particular SSL. SSL (Secure Sockets Layer) is the transaction security protocol used by hundreds of thousands of websites to protect online commerce.

The widespread use of SSL has invariably encouraged online commerce and helped it rise to its current levels. As a result our Internet economy has come to depend on SSL as a security and trust infrastructure, but what does the little yellow padlock really mean to the user? More than some SSL Providers would have you believe…

Since the SSL protocol was released by Netscape as a security technology in 1996 consumers have been educated to look for the SSL padlock before passing any critical details over the Internet. Technically, the SSL protocol provides an encrypted link between two parties, however in the eyes of the consumer, seeing the SSL padlock in their browser means much more:

• That they have a secure (encrypted) link with the website
• That the website displaying the padlock is a valid and legitimate organization or an accountable legal entity

As well as ensuring that their details remain secure during a transaction, consumers also care whether the website they are dealing with is legitimate. In order to solve the critical issue of identity assurance as well as information security on the Internet, the efforts of SSL Providers (Certification Authorities), consumer magazines and industry bodies have rightly resulted in the SSL padlock becoming synonymous with trust and integrity - factors consumers associate with being legitimate.

This paper examines how we use SSL commercially and how good validation processes play a critical part in the preservation of a trusted e-commerce infrastructure.

What is SSL?

Secure Sockets Layer, SSL, is the standard security technology for creating an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remains private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. In order to be able to generate an SSL link, a web server requires an SSL Certificate.

Who can issue SSL Certificates?

SSL Certificates can be issued by anybody using freely available software such as Open SSL or Microsoft's Certificate Services manager. Such SSL Certificates are known as "self-signed" Certificates. However, self-signed SSL Certificates are not inherently trusted by customer's browsers and whilst they can still be used for encryption they will cause browsers to display "warning messages" - informing the user that the Certificate has not been issued by an entity the user has chosen to trust.

Warning message IE users will see from a self-signed SSL Certificate

Warning message Netscape users will see from a self-signed SSL Certificate

Such warnings are undesirable for commercial sites - they will drive away customers. In order to avoid such warnings the SSL Certificate must be issued by a "trusted certifying authority" - trusted third party Certification Authorities that utilize their trusted position to make available "trusted" SSL Certificates.

What is a Certification Authority?

Browsers and Operating Systems come with a pre-installed list of trusted Certification Authorities, known as the Trusted Root CA store. As Microsoft and Netscape provide the major operating systems and browsers, they have elected whether to include the Certification Authority into the Trusted Root CA store, thereby giving trusted status.

Microsoft and Netscape determine which organizations are Certification Authorities.

The Microsoft trusted root CA store

The Netscape trusted root CA store

SSL certificates issued by trusted Certification Authorities do not display a warning and establish a secure link between website and browser transparently. In such circumstances, the padlock signifies the user has an encrypted link with a company who has been issued a trusted SSL Certificate from a trusted Certificate Authority.

Microsoft and Netscape have therefore determined the role of the Certification Authority - to use their trusted status to "pass trust" to websites whom ordinarily would not be trusted by a customer.
The key issue must now be addressed - before passing such trust, how does the CA know the website can be trusted?

What does a Certification Authority do before issuing a trusted SSL Certificate?

The SSL protocol did not originally include the provision of a validated business identity within the SSL Certificate. Yet both Microsoft and Netscape (and other browser vendors) have a policy of only issuing SSL Certificates to validated entities so consumers now expect such website identity assurances. Market education through the consumer press and industry bodies has also added to people's perception of the SSL padlock as indicating a secure and authentic site.

As a result of their "trusted" status, Certification Authorities have a responsibility to ensure they only ever issue SSL Certificates to legitimate companies. This may only be achieved by employing stringent validation processes to ensure issuance practices only allow the SSL Certificate to be issued to a legitimate company. After all, anyone relying on the presence of an SSL Certificate will do so not just for the encryption factor, but also to indicate the legitimacy of the site.

Whether they realize it or not, consumers dictate that Certification Authorities have a duty to perform satisfactory validation for all SSL Certificate applicants. If validation is weak, consumer confidence in SSL Certificates will be undermined. Gartner has recently examined the consequences of weak validation in their report "Secure Sockets - sometimes isn't", and concluded that consumer web-based commerce could be dramatically inhibited.

All SSL Certificates are not equal!

The value of SSL is protected by the strength of a standard two-point validation process:

Step 1: Verify that the applicant owns, or has legal right to use, the domain name featured in the application.
Step 2: Verify that the applicant is a legitimate and legally accountable entity.

The compromise of either step endangers the message of trust and legitimacy provided to the end consumer.

Companies such as GeoTrust, through its QuickSSL and FreeSSL products, and IPSCA, the Spanish SSL Provider, perform only the first stage of the two-step validation process (as employed by all other SSL Providers) by only verifying that the applicant owns the domain name provided during Certificate application. This validation step relies on the use of Domain Name Registrar details to validate ownership of a domain name and then a challenge email is sent to the listed administrator of the domain name. If the challenge is met with a successful reply, the Certificate will be issued.

Anybody who has purchased a domain name knows that when completing the ownership details, any company, organization or person can be the named owner - these records are not validated! So by relying solely on such records, potentially untrustworthy information is being trusted. Bizarrely, GeoTrust even refer to this cut-down domain-control authentication process as being stronger than traditional two step validation - which includes both the domain name ownership validation step and the added step of business legitimacy verification.

To protect themselves, GeoTrust insert the term "Organization Not Validated" into the issued Certificate. This term is visible to all customers visiting the website using the issued SSL Certificate. Whilst the term no doubt protects GeoTrust from any potential legal recourse, it also means that a website's customer gains little comfort in the trustworthiness of the site - after all as far as the customer is concerned the Organization has NOT been validated!

Trusted Certificates VS Browser Recognized Certificates

We have established that:

The role of the Certification Authority is to pass trust.

We have also established that:

Validation = Trust
No Validation = No Trust

A Certification Authority that does not conduct sufficient two-step validation is simply issuing an SSL Certificate that is designed to bypass the browser warning message - a browser recognized certificate, but not a trusted certificate. Remember that Microsoft and Netscape included the warning message in their browsers in order to alert the user of the un-trusted status of an SSL Certificate.

Bypassing the warning message =
Selling the encrypted link without telling the customer it is an encryption only link

If a website is only interested in providing encryption to its visitors it can do so by using a free self-signed Certificate - there is no need to pay a Certification Authority for a trusted SSL Certificate.

The "not trusted" warning message will even let the customer know that whilst the website can provide encryption, it does not provide trust.

Without sufficient validation processes, SSL Certificates are simply encryption certificates that bypass the browser warning message. In other words they are not trusted certificates in the true sense of the word, they are simply browser recognized certificates.

Certification Authorities are trusted by browsers for a reason - to provide trusted certificates. Conducting only weak validation undermines why a Certificate Authority must be a trusted entity and begs the question of why companies should pay for an untrustworthy certificate that consumers, through no fault of their own, inadvertently trust?

In their white papers on SSL, GeoTrust strongly publicize that SSL is NOT for trust and only for encryption and consequently use the argument to justify their lack of business legitimacy validation. However, if SSL is for encryption only why is there a need to display "Organization Not Validated" in their SSL Certificates?

The presence of this warning message is effectively admitting that the consumer, e.g. the party relying on the SSL Certificate, does not inherently know that the SSL Certificate is for encryption only and should not be relied on for business legitimacy. In other words, the consumer must be told that the SSL Certificate does not provide the trust they believed it ordinarily would have.

By displaying the "Organization Not Validated" message, GeoTrust is trying to remove the current association of business legitimacy with SSL. As this message is embedded into the Certificate, where only expert users will be able to find it, consumers are in danger of inherently misinterpreting the intended usage of such Certificates.

The commercial dangers of weak validation

Companies using weakly validated Certificates risk losing the trust of customers who rely on such Certificates when they discover the Certificate stands for "encryption" only. Without the assurance that the company behind the site is legitimate, the customer will go elsewhere to conduct their business. Can a company really afford to lose customers simply because of their choice of SSL provider?

Only by choosing a strongly validated SSL Certificate from a provider who performs two-step validation processes can the user expectations of SSL be realised, and ultimately preserved. Consumers have long associated SSL with more than just encryption. Yet, by removing sufficient validation, the Certificate Authority is not fulfilling its responsibilities to deliver the trust in a "trusted certificate".

In an environment where trust goes hand in hand with commercial success, removing validation from the very products used to provide such trust is not only dangerous but also poses a long term threat to the Internet economy.

SSL Providers retailing non-validated Certificates will often attempt to sell a "Trust" only product. The downside to this exercise is that websites are forced to purchase both an SSL Certificate and a Trust product just to gain both encryption and trust functionality, whereas a fully validated SSL Certificate can already provide both.

Comodo, like Verisign, Thawte, Baltimore and Entrust, is serious about the validation employed in SSL Certificate applications. If you wish to maintain the trust of your customers, we strongly believe that you should be serious about validation too.

Comodo Instant SSL - the only low cost fully validated SSL Certificate

In May 2002 Comodo launched InstantSSL, the only low cost fully validated SSL Certificates. Prior to the launch of InstantSSL, GeoTrust offered the industry's cheapest SSL certificates through the QuickSSL brand (the low price being attributed to the due absence of strong validation processes). However, Instant SSL certificates are less than half the price of GeoTrust QuickSSL certificates, issued quickly, and unlike GeoTrust QuickSSL and IPSCA certificates, Instant SSL certificates are fully validated.

What an SSL Certificate should tell the site's visitors

Comodo is at the forefront of providing fully qualified SSL Certificates. Digital Signature legislation is catching up to how digital certificates are used commercially and appreciates that applications such as SSL mean much more in commercial terms than just encryption. The EU Directive on Digital Signatures is considered by many to be a milestone in how online identities and transactions are being aligned in legal terms with their physical world counterparts.

Part of the directive covers "Qualified Certificates" - digital certificates that have been issued to validated entities, and whose identities are contained within the certificate itself.

Comodo's Instant SSL Certificates contain the following critical identification information within the SSL Certificate:

Common Name - the fully qualified domain name for which the SSL Certificate is to be used
Organization Name
Organization Unit
Street Address
City / Town
State / Province
Zip / Postal Code
Country

All the above information is validated quickly and efficiently by Comodo, ensuring customers receive their Certificate quickly but without the risks associated with weak validation. This places Comodo at the forefront in delivering SSL Certificates that comply with legislation even before it becomes law to do so!

InstantSSL - combining strong validation with low costs

Comodo is the only SSL Provider to offer responsible companies the option of low cost, fully validated and highly trusted SSL certificates. With the availability of InstantSSL, there is no longer any need to opt for more expensive non-validated, untrustworthy encryption-only SSL certificates

Using Instant SSL to Boost Customer Confidence in your Web Sites

Why you need security for your site

The Internet has created many new global business opportunities for enterprises conducting online commerce. However, the many security risks associated with conducting e-commerce have resulted in security becoming a major factor for online success or failure.

Over the past 7 years, consumer magazines, industry bodies and security providers have educated the market on the basics of online security. The majority of consumers now expect security to be integrated into any online service they use, as a result they expect any details they provide via the Internet to remain confidential and integral. For many customers, the only time they will ever consider buying your products or services online is when they are satisfied their details are secure.

This guide explains how you can utilize Instant SSL to activate the core security technology available on your existing webserver. You will also learn how Instant SSL allows you to protect your customer's transactions and provide visitors with proof of your digital identity - essential factors in gaining confidence in your services and identity.

Using Instant SSL Certificates to secure your online transactions tells your customers you take their security seriously. They will visibly see that their online transaction will be secure, confidential and integral and give them the confidence that you have removed the risk associated with trading over the Internet.

Using Security helps you realize the benefits of online commerce:

• Cost effectiveness of online operations and delivery
• Open global markets - gain customers from all over the world
• New and exciting ways of marketing directly to your customers
• Offer new data products and services via the Web

Only if you have visibly secured your site with SSL security technology will your customers have confidence in your online operations. Read on to learn how SSL helps you achieve the confidence essential to successful e-commerce.

What is SSL?

Secure Sockets Layer, SSL, is the standard security technology for creating an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browser remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers. In order to be able to generate an SSL link, a web server requires an SSL Certificate.

When you choose to activate SSL on your webserver you will be prompted to complete a number of questions about the identity of your website (e.g. your website's URL) and your company (e.g. your company's name and location). Your webserver then creates two cryptographic keys - a Private Key and a Public Key. Your Private Key is so called for a reason - it must remain private and secure. The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR) - a data file also containing your details. You should then submit the CSR during the SSL Certificate application process Comodo, the Instant SSL Certification Authority, who will validate your details and issue an SSL Certificate containing your details and allowing you to use SSL.

Your webserver will match your issued SSL Certificate to your Private Key. Your webserver will then be able to establish an encrypted link between the website and your customer's web browser.

For detailed application and installation instructions please refer to section "Step by step instructions to set up SSL on your webserver" of this guide.

Displaying the SSL Secure Padlock

The complexities of the SSL protocol remain invisible to your customers. Instead their browsers provide them with a key indicator to let them know they are currently protected by an SSL encrypted session - the Padlock:

As seen by users of Internet Explorer

Clicking on the Padlock displays your SSL Certificate and your details:

As seen by users of Internet Explorer

All SSL Certificates are issued to either companies or legally accountable individuals. Typically an SSL Certificate will contain your domain name, your company name, your address, your city, your state and your country. It will also contain the expiry date of the Certificate and details of the Certification Authority responsible for the issuance of the Certificate.

When a browser connects to a secure site it will retrieve the site's SSL Certificate and check that it has not expired, it has been issued by a Certification Authority the browser trusts, and that it is being used by the website for which it has been issued. If it fails on any one of these checks the browser will display a warning to the end user.

Why Should You Use an Instant SSL Certificate?

Comodo, the Certification Authority behind InstantSSL, is the fastest growing SSL Provider in the world. Unlike other Certification Authorities, Comodo does not just provide SSL Certificates - they are a world-renowned security and cryptography service provider. When you are a customer of Comodo, you can feel safe knowing that your website security is provided by experts.

InstantSSL Certificates are the most cost-effective fully validated and fully supported 128 bit SSL Certificates you can buy today! You can contact the technical support team between 3am- 7pm EST (soon to be 24 hours). You can also feel safe in the knowledge that Comodo will validate your application in accordance with the latest digital signature legislation pertaining to Qualified Certificates. This validation is done effectively and quickly, ensuring you need not wait the traditional 3 working days normally associated with a fully validated SSL Certificate.

InstantSSL boasts industry leading browser ubiquity - comparable to Verisign and Thawte, however without the costs associated with other SSL Providers. Instant SSL Certificates are compatible with over 99% of browsers - including Internet Explorer 5.00 and above, Netscape 4.5 and above, AOL 6 and above and Opera 5.00 and above.

InstantSSL benefits summary:

InstantSSL Certificates are the most cost effective SSL Certificates you can buy which include:

• Full validation conducted quickly - in many cases you can expect your SSL Certificate to be issued within minutes
• Telephone, email, web support available 3am - 7pm EST
• Over 99% browser compatibility
• 128 bit strong encryption security
• Backed by warranties ranging from $50 to $10,000

InstantSSL Certificates provide you with the key to successfully using SSL on your webserver.

Testing your Webserver Before you Buy -
Try an SSL Certificate for Free

Trial SSL Certificates provide full SSL functionality for 30 days and are fully supported by our expert technical support staff. Unlike test Certificates from other CAs, Instant SSL trial Certificates are issued using the same Trusted Root CA that issues our end-entity SSL Certificates and provides 99% browser ubiquity, and NOT by a different test CA. This unique service helps you fully test your system prior to your live roll out.

Trial SSL Certificates are ideal for anyone requiring proof of ease of installation, confirmation of high quality technical support and also confirmation of compatibility with the majority of the browsers that exist today. Trial SSL Certificates are also ideal for practicing with Certificates and learning about SSL implementation before committing to installing a Certificate on your live system.

COMODO SSL RELYING PARTY WARRANTY

The relying party warranty set forth herein (the "Relying Party Warranty") may provide an avenue of relief to people whose reliance on a Comodo-issued digital certificate results in a loss of money due to a fraudulent charge to their credit card by the holder of a Comodo digital certificate. If Comodo was negligent in issuing a digital certificate that resulted in a loss to a Relying Party ("you"), you may be eligible to receive up to US$1,000 per incident, subject to a maximum aggregate limit of $10,000 USD or $250,000 USD (as applicable) for all claims related to that digital certificate. The terms and conditions of the Relying Party Warranty are as follows.

1. Application

Before taking any action in connection with or relying in any way on a Comodo Digital Certificate (as defined below), you must read and agree to the Relying Party Agreement.

2. Definitions

The capitalized terms used in this Agreement shall have the following meanings, unless otherwise specified: "Digital Certificate" means an encrypted electronic data file (conforming to the X509 version 3 ITU-T standard) issued by Comodo in order to identify a person or entity or to provide SSL encryption using a Digital Signature or entity and which contains the domain name or identity of the person authorized to use the Digital Signature and a copy of their Public Key, a serial number, a time period during which the Digital Certificatre may be used and a Digital Signature issued by Comodo. "Comodo CPS" means the Certification Practice Statement released by Comodo, as amended from time to time, which may be accessed from https://www.Comodo.com/repository/cps.html. "Subscriber" means a person who is issued a Digital Certificate signed by Comodo and who has entered into a Comodo Subscriber Agreement.

3. Relying Party Warranty Terms

3.1. Subject to the provisions herein, Comodo warrants solely for the benefit of Covered Persons (as defined below) that Comodo and its third party vendors have exercised reasonable care to perform the validation steps set forth in the appropriate Comodo CPS in issuing a Digital Certificate (the "Comodo Warranty").

3.2. If a Covered Person suffers monetary losses resulting directly from an online credit card transaction made with a Subscriber of a Comodo Digital Certificate, and the Covered Person fulfills all obligations described herein, Comodo will pay to the Covered Person, subject to the Payment Limits, Max Transaction Values, Incident Limit and exceptions described below, the amount fraudulently charged to the Covered Person's credit card by the Subscriber. This Comodo Warranty applies only if the Subscriber's Digital Certificate that was relied upon by the Relying Party was issued by Comodo in violation of the Comodo Warranty described herein, and only if the losses were monetary losses from an online credit card transaction.

4. Payment Limit

4.1. Comodo Digital Certificates. Each Comodo SSL certificate carries an aggregate maximum payment limit (the "Payment Limit") and a maximum transaction value ("Max Transaction Value") as described in the table below and the Comodo Certificate Subscriber Agreement, for all claims paid in connection with these Digital Certificates.

4.2. Incident Limit. A Covered Person may only receive a maximum payment of $1,000 per online transaction ("Incident Limit") for which the Covered Person claims there was a breach of the Comodo Warranty (each an "Incident"). If multiple Covered Persons are affiliated as to a common entity, then those multiple Covered Persons collectively are eligible to receive a maximum amount of $1,000 per Incident. Any payments to Covered Persons shall decrease by an amount equal to the sum of such payments the relevant Aggregate Limit available to any party for future payments for any claims relating to that Digital Certificate. For example, if a Digital Certificate carries a Payment Limit of $10,000, then Covered Persons can receive payments in accordance with this warranty for up to $1,000 per Incident until a total of $10,000 has been paid in the aggregate for all claims by all parties related to that Digital Certificate. Upon renewal of any Digital Certificate, the total claims paid for such Digital Certificate shall be reset to zero dollars.

5. Covered Persons

Under this warranty, you must complete an online credit card transaction in reliance on a Comodo Digital Certificate and meet all of the following requirements:

(i) You must use a credit card validly issued in your name.

(ii) You must read and agree to be bound by the terms of the Comodo Relying Party Agreement, which can be found at http://www.comodogroup.it/eng/repository/index.html, prior to providing any credit card information to a Digital Certificate Subscriber. The Relying Party Agreement applies to you if, among other things, you decide to rely on a Digital Certificate issued by Comodo.

(iii) You must fulfill all of your obligations described herein, including but not limited to all obligations as a Relying Party in the Relying Party Agreement.

(iv) You must dispute with your credit card issuer and/or other entity, as appropriate, the unauthorized credit card charges for which you wish to make any claim under this warranty, in compliance with the rules, procedures and time-lines applicable to the credit card that was subject to the unauthorized charges. Any payment by Comodo will be reduced by the amount of any recovery, relief or reversal of charges received by the Covered Person from the credit card issuer.

(v) You must submit all claims via email to the following email address: legal@comodo.com, and you must include: the date of loss, a detailed description of the events and circumstances of the loss, the amount of any claimed loss, the web site URL and Subscriber name through which the loss occurred, the credit card number and card issuer through which the loss occurred. You must cooperate fully with any investigation of your claim (including providing additional information when requested). Any claim must be submitted to Comodo (or the entity designated by Comodo) within 90 days of the loss for which you are seeking payment.

6. Exceptions to the Warranty

This Comodo Warranty does not apply to losses or damages of a Covered Person, caused wholly or partially by:

(i) brown-outs, power failures, or other disturbances to electrical power;

(ii) illegal acts by the Covered Person or the Subscriber of the Digital Certificate upon which they rely, or by persons coercing the Covered Person or Subscriber to cause the loss or damages;

(iii) the Covered Person's own breach of any warranty or obligations in the Relying Party Agreement, including but not limited to failure to validate a Digital Certificate prior to relying upon it, and failure to validate the certificate chain for any Digital Certificate prior to relying upon it;

(iv) acts by any unauthorized individuals which impairs, damages, or misuses the services of any Internet Service Provider or telecommunications, cable, or satellite carrier, other common carrier or value-added services, including but not limited to, denials of service attacks and the use of malicious software such as computer viruses;

(v) the Covered Person's unreasonable or unjustified reliance upon information contained within a Digital Certificate in view of what the Covered Person knows or should have known, or based on the Covered Person's course of dealings and customs of trade;

(vi) failure of any services or equipment not under the exclusive control or ownership of Comodo or its partners, affiliates, and agents; or

(vii) the Covered Person's reverse engineering, interference with, or monitoring of the certificate services, except as provided by the Service Agreements or with Comodo' express consent.