Why is security required for the Internet?

The Internet has been a revolution to commerce and the transfer of data in general, which has developed new global business opportunities for all, including major enterprises, small to medium sized businesses and individuals alike. However e-commerce has inevitably attracted crime and developed a new breed of online criminals ranging from fraudsters and hackers to cyber terrorists. The growing concerns associated with conducting e-commerce have now resulted in the fact that security is an essential factor for online business success.

The market is now educated in the basics of online security and the majority of online users now expect security to be integrated into any online service they use and as a result they expect any details they provide via the Internet to remain confidential and secure.

This white paper explains how SSL can be utilized as the core security technology to protect customer’s online transactions and informs users that the security of the online business is being taken seriously. In fact, SSL provides proof of a digital identity and allows online customers to visibly see that their digital transaction will be confidential. These are essential factors in gaining customer confidence and remove the concerns and risks associated with sending sensitive data over the Internet.

SSL is essential to allow the true benefits of the Internet to be realized. SSL (Secure Sockets Layer) is a security technology that is commonly used for encrypting communications between users and e-commerce websites, thereby securing server to browser transactions. The SSL protocol utilizes encryption to prevent eavesdropping and tampering of the transmitted data, and is used to secure information passed by a browser (such as a customer’s credit card number or password) to a webserver (such as an online store).

SSL Certificate protects data submitted over the Internet from being intercepted and viewed by unintended recipients and as used by hundreds of thousands of websites in the protection of their online transactions with their customers, SSL is the de-facto industry standard Internet transaction security technology.

How do website visitors know if a website is using SSL?

When a website visitor connects to a webserver using SSL they will see that the URL in the address bar begins with https:// rather than the usual http:// and also a small gold padlock will appear in their browser, e.g.

 

As seen by users of Internet Explorer

Whenever a browser connects to a webserver (website) over https:// – this signifies that the communication will be encrypted and secure. The actual complexities of the SSL protocol remain invisible to the end customer.

In summary, SSL is the de facto web transaction security technology. Web servers have been built to support it and web browsers have been built to use it. SSL provides the ability to secure customers transactions transparently without the customer having to do a thing!

Credit: SSL Certificate News

Go Green with EV SSL helps Boost Ecommerce Business

To earn trust, you need an easy, reliable way to show customers that not only are their transactions secure, but that you are a legitimate business and you are whom you say you are. To meet this need, security vendors and Internet browsers have combined forces to establish the Extended Validation (EV SSL) standard, the first fundamental change in the world’s secure e-commerce backbone in more than ten years.

Besides turning green, the browser also displays the name of the organization listed in the certificate (for example, your company). Implementation details vary somewhat from browser to browser.

The browser and the security vendor control the display to deter phishes and counterfeiters from hijacking your brand and your customers. Fraudsters are becoming adept at mimicking almost everything about a Web site, but without the legitimate company’s EV SSL Certificate there is no way they can display its name on the address bar because the information shown there is outside of their control. In addition, they cannot obtain the legitimate company’s EV SSL Certificates because of the stringent authentication process.

Why is EV so comforting to consumers?

• Online customers can look at the visual display of the certificate owner’s name on the address bar to make sure the site is indeed authored by the intended source and not an imposter.
• CAs conduct additional levels of validation of organizations’ legitimacy and authenticity before issuing them EV certificates as described above to keep fraudsters from posing as legitimate Internet businesses.
• The CAs themselves must satisfy more rigorous criteria in order to be eligible to issue EV SSL Certificates. They must pass regular third-party Web Trust audits confirming that they meet the requirements set out in the standards of the CA/Browser Forum, a consortium of CAs and browser suppliers. This essentially eliminates chances of a feeble background check that sets an imposter loose with EV. With EV, customers do not have to question whether the organization was properly vetted or not.
• The color change to green appears to have a soothing psychological effect on consumers. Even customers who are not familiar with the “real” reasons why EV protects them better are more inclined to convert to sales and buy more per sale if they see a green bar.

For organizations with a high profile brand, using EV SSL Certificates has established to be an efficient security against phishing frauds. For any online dealing, using SSL Certificate with EV may have a big affect on the base line. EV SSL customers have experienced large increases in web site transactions.

Credit: SSL Certificate News

Protect Yourself Online To Go With Big Deals

Before you or your family members sign-in or buy online, ask yourself. Do I trust this Web site? ClickSSL brings trust to the Internet by helping people and organizations establish, promote and protect their identities online.

• Look for the Green Bar

The green address bar in your web browser shows that web site is secured, as well as the authentic name of the company or organization that runs the site. Look for the Certificate Authority (VeriSign, GeoTrust, Thawte) name next to the Web site address to know the most trusted Web site security provider protects your information in the business.

Extended Validation, EV SSL Certificates gives a convenient and visible sign that you have a highly authenticated, trustworthy site and that your customers information is secure.

• Click the Check

When you click the “Secure Site Seal”, you see the exact information provided to and verified by Certificate Authority(VeriSign, GeoTrust, Thawte, and RapidSSL). Click the check on the “Secure Site Seal” to confirm the owner’s name, domain’s name, city, state, country, certificate’s validity period, and the status of the most recent malware scan that depend on which Certificate Authority performed. Download SSL Site Seal.

• Keep Your Passwords Private

Never enter your username or password on a site you cannot verify. An email might have a link to a web site requesting your login. Do not follow the link – it could be a thief trying to steal your username and password. Go directly to the Web site by typing the URL in your browser in order to verify the email request.

• Create strong passwords

Create strong passwords are at least fourteen letters long and contain a combination of both upper and lower case characters, figures and signs. It is simple for you to keep in mind but complicated for others to imagination.

1. Do not share your password with friends.
2. Do not use the same password everywhere. If somebody pinch your password, all data that password secures is at risk.

• Go with Your Gut

If you do not see the signs above, you have to take extra measures for protection. Look for the closed padlock and an “s” in https in the URL. Is the URL what you expected or have you been redirected to a look-alike Web site? Is the content write in a professional manner? If what you see does not add up, trust your instincts and do not sign in. Better yet, do business with Web sites that show you they are secure.

Credit: SSL Certificate News

Prefer Trusted Certificate Authority to Choose an SSL Certificate

A Certificate Authority issues digital certificates that contain a public key and the identity of the owner. The matching private key is not available publicly, but kept secret by the end user who generated the key pair. The certificate is also a confirmation or validation by the CA that the public key contained in the certificate belongs to the person, organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates. CAs use a variety of standards and tests to do so. In essence, the Certificate Authority is responsible for saying, "yes, this person is who they say they are, and we, the CA, verify that". 

If the user trusts the CA and can verify the CA's signature, then he can also verify that a certain public key does indeed belong to whoever is identified in the certificate.

Not all Certificate Authorities are created equal
 
For businesses considering a choice of CA providers, it is important to remember that your choice does in fact matter. Not all SSL certificates are issued equally and businesses should consider the level and rigor of authentication and security that goes into the SSL certificates in which you place the trust of your brand and your customers. Organizations should ensure that CA’s publish their policies and undergo routine audit to ensure a secure infrastructure. Regrettably, there is no minimum standard within the current SSL Certificate market. Although price certainly plays a significant role in the purchasing process, as the multiple CA breaches this year have reminded us, we suggest price should be but one of many factors in selecting a CA. When evaluating a CA we urge you to take into account the following considerations:

• Diligence of the security used by the CA to protect cryptographic keys
  • Specifically designed hardened facilities to defend against attack
  • Hardware-based cryptographic signature systems
  • Regular third party audits
  • Thorough network security and antimalware defense
• Enforcement of dual control certificate issuance used by the vendor
• Use of authentication/registration best practices to identify ownership
• Documented CA employee background investigations to protect against insider threat
• Strong history of the vendor’s trust and security

For consumers, it is important to know that SSL remains the most effective method of secure web data transmission. It is equally critical to remain aware of who is behind the security of the web site you are doing business. Are they reputable? Do they have a proven record of accomplishment for issuance of certificates? Do they have a robust infrastructure in place to prevent these types of attacks? Further protect yourself online, know what to look for:

• Updated browser software to obtain the latest set of valid root keys
• Watch for the green address bar provided by Extended Validation (EV) SSL for extra protection
• Look out for a recognized trust mark such as the Secured Seal.
• Keep an eye out for the ‘s’ in “https” in the URL to indicate a secure environment

Watch for the padlock to verify who has signed the SSL certificate, and ensure that you recognize the CA.

At the end of the day, it is important for the community to understand that there is nothing inherently broken with SSL, it is really just about CA’s and businesses doing the right thing and ensuring that consumer information remains secure. CA’s that follow established best practices for securing private keys, along with vigilant enforcement of stringent authentication practices are critical components in keeping the Internet a safe environment for all.

Certificate Authorities:  

Below Certificate Authorities, which are provides Trusted SSL Certificates.  

RapidSSL is an internet security specialist, focused on providing small/medium businesses with strong 128 / 256-Bit encryption, industry standard SSL Certificates. RapidSSL® is dedicated to being the lowest cost provider of SSL to the entry-level marketplace and offers a number of SSL Certificate brands. Buy RapidSSL Certificates

GeoTrust is the world’s second largest digital certificate provider, and a leader in a wide variety of Identity and Trust services. GeoTrust's comprehensive array of technologies enables organizations of all sizes to secure e-business transactions cost effectively.  Buy GeoTrust SSL Certificates

Thawte has a history that gives a uniquely cosmopolitan view of business - one that reflects a truly international perspective. The focus of Thawte® remains on extending a trusted relationship on the internet to anyone, anywhere, as his commitment to the egalitarian ethos of the internet. Buy Thawte SSL Certificates

VeriSign continues to lead the SSL Certificate industry as a member of the CA/Browser Forum, a standards making body focused on High Assurance SSL Certificates. SGC enabled SSL Certificates provide 128 - 256 Bit encryption to over 99.9% of web site visitors, including the tens of millions who use certain older versions of Microsoft® Windows and Internet Explorer. Buy VeriSign SSL Certificates

Credit: ClickSSL.com Blog

Configuring SSL Certificate for use in MS IIS

When SSL Certificate has been installed, you will need to enable the server as well as any firewall or routers that are in place for secure communications. To do so, enable the SSL port, which is by default port 443, and assign a unique IP Address for your Certificate on your website.SSL Certificate is only issued and tied to the Fully Qualified Domain Name (common name), for which the Certificate was requested.

Even though it is not tied to the IP address assigned to the website, a unique IP address is required for each SSL enabled website, as SSL works with IP based virtual hosts. The IP address assigned to the website can be changed and it will not affect the Certificate at all, provided it remains unique, virtual hosts.

To enable SSL on MS IIS 4.0, follow the instructions listed below:

1. From the “Internet Server” program group, open “Key Manager”.
2. In the “Key Manager” window, select the Key on which your certificate is installed.
3. Right-click on the Key and select “Properties”.
4. At the “Server Bindings” window, click on “Add”.
5. The “IP Address” field must contain the IP address (typed out) of the web site in question. If you only have one website, then the default “All UN-assigned” for your IP address will suffice.
6. Under “Port Number”, click on the radio button next to “Port Number” and add 443. Click on “OK” when done.
7. From the “Computers” menu, select “Commit Changes Now” and when prompted to “Commit all changes now?” select “Yes”.

To enable SSL on MS IIS 5.0, MS IIS 5.1 and MS IIS 6.0, follow the instructions listed below:

1. In the “Web Site” tab, the IP address field must contain the IP address (typed out) of the web site in question. If you only have one website, then the default “All UN-assigned” for your IP address will suffice.
2. Click on the “Advanced” button next to the IP address field – make sure the SSL port number is listed under “Multiple SSL identities for this Web site” section.

You will now be able to access your machine securely via https://www.yourdomain.com and view your certificate details.

A golden padlock will appear in the lower toolbar of your browser when the SSL session has been established.

Credit: ClickSSL.com Blog