|
What is SSL?
SSL = Secure Socket Layer.
What does SSL mean
to me, the Internet user?
When you come across a web page that is secured, your browser will likely display
a 'closed lock' or other symbol to inform you that SSL (standing Secure Sockets
Layer) for has been enabled. The web site address should also now start with "https://"
rather than the usual "http://".
In a nutshell, SSL allows a secure connection between your web browser and a web
server. This secure information 'tunnel' was developed by Netscape Communications
and was based on encryption algorithms developed by RSA Security. SSL is being widely
adopted by numerous companies for other client/server uses other than web surfing.
The main role of SSL is to provide security for Web traffic. Security includes confidentiality,
message integrity, and authentication. SSL achieves these elements of security through
the use of cryptography, digital signatures, and certificates. Because SSL is built
into all major browsers and Web servers, simply installing a digital certificate,
or Server ID, enables SSL capabilities.
Why do I need SSL?
If you are transmitting sensitive information on a web site, such as credit card
numbers or personal information, you need to secure it with SSL encryption. It is
possible for every piece of data to be seen by others unless it is secured by an
SSL server certificate. Your customers won't trust your web site without it.
Who uses SSL today?
Most all web-based online purchases and monetary transactions are now secured by
SSL. When you submit your credit card to purchase a compact disk from CDNOW, for
example, the order form information is sent through this secure tunnel so that only
the folks at CDNOW can view it. You may also be familiar with online banking. Financial
institutions use SSL to secure the transmission of your PIN number and other confidential
account data.
What is a Certificate Signing Request (CSR)?
The CSR is a string of text generated by your server software. You provide this
string of text to VeriSign during the enrollment process. To generate a CSR for
Global Server ID or Secure Server ID, you will need to know what kind of server
software is running on your Web server.
What are the roles of SSL?
SSL has two distinct entities, server and client. The client is the entity that
initiates the transaction, whereas the server is the entity that responds to the
client and negotiates which cipher suites are used for encryption. In SSL, the Web
browser is the client and the Web-site server is the server.
Why is SSL important?
SSL is vital to Web security. It provides a strong sense of confidentiality, message
integrity, and server authentication to users. The business of e-commerce is tied
closely to consumer confidence in the operation of SSL across the net. In the future,
SSL termination devices will be able to handle more transactions at a faster rate.
The encryption of key lengths and the cipher suites used will also continue to evolve
in order to ensure the security of sensitive information over the Web. This way,
e-commerce will be able to continue to grow in popularity as users grow more confident
in shopping and banking online, and embracing new online applications.
What is a Digital certificate?
Well, think of the digital certificate as the key to starting the SSL engine. Maybe
more like a driver's license. It's just an identification card that the server uses
to prove that it is who it says it is.
Digital Certificates are issued by Certificate Authorities (CA). This is where it
gets tricky, because anyone with the right software can be a certificate authority,
just like anyone can make a piece of paper that says it's a driver's license. But
just as only the state government can issue a license that a police officer will
accept, there are certain trusted CA's that your web browser will accept (such as
VeriSign, Inc.). Of course, you can tell your web browser to accept other CA's if
you want to. In this case, you're the police officer that's accepting these certificates,
so you should accept certificates from sources you trust.
Also note that, just like the SSL connection itself, a digital certificate does
not vouch for the integrity of the company it is issued to. Be wary of who you send
your credit card information to, regardless of if the connection is secure or not.
What are authentication and encryption?
SSL server authentication allows users to confirm a Web server's identity. SSL-enabled
client software, such as a Web browser, can automatically check that a server's
certificate and public ID are valid and have been issued by a certificate authority
(CA) listed in the client software's list of trusted CAs. SSL server authentication
is vital for secure e-commerce transactions in which users, for example are sending
credit card numbers over the Web and first want to verify the receiving server's
identity.
An encrypted SSL connection requires all information sent between a client and a
server to be encrypted by the sending software and decrypted by the receiving software,
protecting private information from interception over the Internet. In addition,
all data sent over an encrypted SSL connection is protected with a mechanism for
detecting tampering - that is, for automatically determining whether the data has
been altered in transit. This means that users can confidently send private data,
such as credit card numbers, to a Web site, trusting that SSL keeps it private and
confidential.
What's the difference between a 40-bit
SSL connection and a 128-bit SSL connection?
Many banks require 128-bit encryption for online banking because 40-bit encryption
is considered to be relatively weak. 128-bits is about 309 septillion times ( 309,485,000,000,000,000,000,000,000
) larger than 40-bits.
Equated to the real world, sending information without encryption is like sending
a postcard through the mail - the contents are visible to practically anyone who
wants to see it. Using this analogy, 40-bit encryption is like sending the information
in an plain white envelope. 56-bits could then be equated to using a security envelope
that is printed to prevent it from being see-through. Relative to these strengths,
128-bit encryption could be compared to encasing your data in a lead-lined, 12-inch
thick titanium safe that is being transported by an armored tank with a convoy of
a hundred armed guards. In other words, 128-bits is considerably more secure than
40.
How can I tell if my web browser has 128-bit encryption?
Most newer browsers now support a variety of SSL bit strengths. This ensures that
the browsers are fully compatible with most all web servers and digital certificates,
which were also shipped worldwide at lower encryption strengths.
If you have an older browser you downloaded without filling out an brief residency
confirmation form, you likely have the 40 or 56-bit version. Check your browser's
encryption preferences to see what strengths you have available. You can also try
Fortify.net's SSL test page for a readout of what strengths your browser supports.
Which type of SSL is right for my site?
40-bit SSLs are ideal for security-sensitive intranets, extranets, and low-volume
Web sites. 128-bit SSLs are the standard for large-scale online merchants, banks,
brokerages, health care organizations, and insurance companies worldwide..
What is Server-Gated Cryptography (SGC)?
U.S. government restrictions on U.S. vendors prevented the export of “strong” cryptography
several years ago. As a result, many people purchased computers or downloaded export
version browsers supporting only 40- or 56-bit SSL encryption. Microsoft developed
"Server Gated Cryptography" ("SGC") and Netscape developed "step-up" technology
to enable 128-bit SSL encryption with export browser versions. SGC allows users
with an export version browser to temporarily step-up to 128-bit SSL encryption
if they visit a Web site with an SGC-enabled SSL Certificate. Without an SGC certificate
on the Web server, Web browsers and PCs that do not support 128-bit strong encryption
will receive only 40- or 56-bit encryption.
What is Public Key Infrastructure (PKI)?
Public Key Infrastructure is the network security architecture of an organization.
It includes software, encryption technologies, and services the enable secure transactions
on the Internet, intranets, and extranets.
When VeriSign issues an SSL Certificate, we act as a Certificate Authority (CA).
VeriSign digitally signs each certificate we issue. Each browser contains a list
of CAs to be trusted. When the SSL handshake occurs, the browser verifies that the
server certificate was issued by a trusted CA. If the CA is not trusted, a warning
will appear. When high security browsers recognise an Extended Validation SSL Certificate,
they display the name of the CA next to the browser bar. VeriSign is one of the
most trusted CAs on the Internet. (See VeriSign Secured Seal Research Review.) The
VeriSign Trial Root CA is for testing purposes only and is not included in any browser's
trust list.
The VeriSign subscriber agreement prohibits customers from using a certificate on
more than one physical server or device at a time, unless the customer has purchased
the Licensed Certificate Option. When private keys are moved among servers-by disk
or by network-accountability and control decrease, and auditing becomes more complex.
By sharing certificates on multiple servers, enterprises increase the risk of exposure
and complicate tracing access to a private key in the event of a compromise. VeriSign's
licensing policy allows licensed certificates to be shared in the following configurations:
redundant server backups, server load balancing, and SSL accelerators. See Licensing
VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for
more information.
How do I download the VeriSign
Secured Seal for my Web site?
The VeriSign Secured Seal is available for display on any Web page within a domain
secured by a VeriSign SSL Certificate. Whether you are a new or existing customer,
you can download and install the VeriSign Secured Seal on your server. A JavaScript
verifies your common name and displays the seal. When site visitors click on the
seal, they receive a dynamically generated verification page specific to your certificate.
The Secured Seal may take up to 2 hours to display the first time you install it
for any given common name.
Is 128-bit SSL encryption really
stronger than 40-bit SSL encryption?
Absolutely. When an SSL handshake occurs between a client and server, a level of
encryption is determined by the browser, the client computer operating system, and
the SSL Certificate. Low-level encryption, 40 or 56 bits, is acceptable for sites
with low-value information. However, a hacker with the time, tools, and motivation
can crack the code in a matter of minutes.
High-level encryption, at 128 bits, can calculate 288 times as many combinations
as 40-bit encryption. That's over a trillion times a trillion times stronger. That
same hacker with the same tools would require a trillion years to break into a session
protected by an SGC-enabled certificate.
What level of encryption do I need for my Web site?
Best security practices are to install a unique certificate on each server and choose
true-128-bit or better encryption by purchasing an SGC-enabled SSL Certificate.
A unique certificate keeps your private keys protected, and an SGC-enabled certificate
ensures that every site visitor, no matter what browser or operating system they
use, connects at the highest level of encryption their system is capable of. The
level of protection needed should be based on the value of your information and
the perception of your customers. You need 128-bit or better encryption if you process
payments, share confidential data, or collect personally identifiable information
such as social security or tax ID number, mailing address, or date of birth. You
need 128-bit or better encryption if your customers are concerned about the privacy
of the data they send to you.
A lot of companies advertise 128-bit
certificates, but they don't have SGC. What is the difference between VeriSign's
SSL Certificates and those of other providers?
Non-SGC SSL Certificates provide a minimum of 40-bit and up to 256-bit SSL encryption.
Site visitors using certain older browsers and many Windows 2000 systems using Internet
Explorer will only receive 40- or 56-bit encryption unless they're connecting to
an SGC-enabled SSL Certificate. VeriSign is the leading SSL provider of SGC-enabled
SSL Certificates, enabling 128- or 256-bit encryption for over 99.9% of Internet
users. (SGC: Strongest SSL Encryption.)
What do I need to know about Windows
2000 and 128-bit encryption?
Many Windows 2000 systems using Internet Explorer will fail to step up to 128 bits
unless they connect to an SGC-enabled certificate, even if they're using the most
current version of Internet Explorer. VeriSign is the leading SSL provider of SGC-enabled
SSL Certificates, enabling 128- or 256-bit encryption for over 99.9% of Internet
users. (SGC: Strongest SSL Encryption.)
Do VeriSign's SSL Certificates work
with all browsers?
VeriSign's SSL Certificates work with virtually every Web browser that ever shipped
and all popular Web browsers used since 1996. VeriSign SSL Certificates offer the
highest browser compatibility achieved by any SSL Certificate. However, many browsers
will not be able to connect at 128-bit encryption unless there is an SGC-enabled
certificate on the server. Many millions of Internet users worldwide still use these
browsers. (SGC: Strongest SSL Encryption.) Certain Internet Explorer browser versions
from 3.02 to 5.23 and Netscape browser versions from 4.02 to 4.72 will fail to use
128-bit encryption unless connecting to SGC-enabled certificates. Internet Explorer
versions prior to 3.02 and Netscape versions prior to 4.02 are not capable of 128-bit
encryption with any SSL Certificate.
What is Extended Validation SSL?
Extended Validation SSL Certificates give high security Web browsers information
to clearly identify a Web site’s organizational identity. For example, if you use
Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate
that meets the Extended Validation Standard, IE7 will cause the URL address bar
to turn green. A display next to the green bar will toggle between the organization
name listed in the certificate and the Certificate Authority (VeriSign, for example).
Firefox and Opera have announced their intention to support Extended Validation
SSL in upcoming releases. Older browsers will display Extended Validation SSL Certificates
with the same security symbols as existing SSL Certificates.
What is the Extended Validation Standard?
To purchase a Extended Validation SSL Certificate, an organization has to go through
a validation process that meets the Extended Validation Standard established by
the CA/Browser Forum (soon to be released). In addition to confirming domain name
ownership, the process will likely include authenticating the authority of the contact
person requesting the certificate, verification of the business with government
or third party business registries, and other methods.
How will Extended Validation
SSL increase consumer confidence?
As people use the Web for commerce, business, and social activities, they share
personal and confidential information. High profile incidents of fraud and phishing
scams have made Internet users very concerned about identity theft. Before they
enter sensitive data, they want proof that the Web site can be trusted and their
information will be encrypted. Without it, they might abandon their transaction
and do business elsewhere. High security browsers and Extended Validation SSL Certificates
provide third-party verification using a visual display that gives consumers confidence
and builds trust in e-commerce.
What are the benefits of Extended Validation
SSL to Web site owners?
A High Assurance SSL Certificate helps your visitors’ complete secure transactions
with confidence and puts your organization in a leadership position. If your site
has the ?green bar? in IE 7 and your competitor’s site does not, you appear to be
more trusted and more legitimate. That’s a competitive advantage in the world of
e-commerce. For businesses with a high profile brand, using Extended Validation
SSL is an effective defense against phishing scams. When customers see the green
bar and other displays of trust, they can interact with you online, with confidence.
Who is eligible to receive
an EV SSL Certificate?
The CA/ Browser Forum dictates what kinds of entities are eligible to obtain EV
Certificates. The following entities are eligible provided they are currently registered
with and approved by an official registration agency in their jurisdiction. The
resulting charter, certificate, license or equivalent must be verifiable through
that registration agency.
• Government agencies
• Corporations
• General partnerships
• Unincorporated associations
• Sole proprietorships
The employment and authority of the person placing the certificate order must be
verifiable. These business entities need to have a confirmable physical existence
and business presence. Any assumed business names should be verifiable. A principal
individual associated with the business must be validated and that person must confirm
agreement to the certificate subscriber agreement. The entity cannot be located
in a country where VeriSign is prohibited from doing business or listed on any government
prohibited list such an embargo restriction.
Definitions
SSL
Encryption - SSL Certificates bind an identity to a pair of electronic
keys that can be used to encrypt and sign digital information. When an SSL handshake
occurs between a client and server, a level of encryption is determined by the client
browser, the client operating system, the server configuration, and the SSL Certificate.
Millions of Internet users worldwide still use browsers that will not step up to
256-bit encryption unless there is an SGC-enabled certificate on the server. VeriSign
is the leading SSL provider of SGC-enabled SSL Certificates, enabling 128- or 256-bit
encryption to over 99.9% of Web site visitors.
SGC
- Server-Gated Cryptography. Verisign testing results have shown that when using
SGC certificates, virtually all combinations of Windows operating system, Internet
Explorer and server are able to step up to 128-bit encryption, i.e. utilize its
full potential.
Warranty
- VeriSign SSL Certificates are covered by the NetSure Protection Plan with up to
$250,000 in warranty protection. NetSure protects certificate holders against certain
losses resulting from breach by VeriSign of the warranties included in your VeriSign
SSL Certificate.
Green Address Bar - Internet browsers that support the Extended Validation
Standard make it easy to see that a site is secure. When users navigate to a Web
site secured by an Extended Validation (EV) SSL Certificate, the address bar turns
green. In addition, the name of the organization listed in the certificate and the
security vendor appear next to the address, giving users an easy way to confirm
the identity of the site. Microsoft® Internet Explorer 7 is the first browser to
adopt the new standard.
Extended Validation - In 2006, a group of leading SSL Certificate Authorities
(CAs) and browser vendors approved standard practices for certificate validation
and display called the Extended Validation Standard. To issue an SSL certificate
that complies with the standard, a CA must adopt the extended certificate validation
practice and pass a WebTrust audit. The Extended Validation process requires the
CA to authenticate the certificate applicant's domain ownership and organizational
identity, as well as the individual approver's employment with the applicant, and
authority to obtain the Extended Validation SSL Certificate.
Authentication - VeriSign applies the industry's most rigorous authentication
methodology to protect your brand identity and your site visitors' online experience.
Prior to issuing your SSL Certificate, VeriSign verifies the existence of your business,
the ownership of your domain name, and your authority to apply for the certificate.
The validation practice for Extended Validation (EV) SSL Certificates also requires
confirmation that the requestor has the authority to purchase the certificate on
behalf of the company and the company's physical address. Our authentication procedures
undergo annual independent SAS 70 Type II audits and are WebTrust certified.
Revocation
and Replacement - VeriSign will replace your SSL Certificate within
30 days of issuance at no cost. A replacement fee applies after 30 days. A replacement
SSL Certificate must have the exact same Distinguished Name as the original certificate.
Licensing
- If you have multiple servers hosting a single domain, you can secure all of them
with a single certificate licensed for up to 5 servers. VeriSign's licensing policy
contains provisions for sharing certificates in multiple server configurations for
redundant server backups, server load balancing, and SSL accelerators. Usage
- SSL Certificates enable encryption across the Internet, intranets, and extranets.
They are installed on Web servers, mail servers, e-commerce sites, and FTP sites
- wherever customers, employees, or other users provide sensitive information or
log on to an account.
Usage
– SSL Certificates enable encryption across the Internet, intranets, and extranets.
They are installed on Web servers, mail servers, e-commerce sites, and FTP sites
- wherever customers, employees, or other users provide sensitive information or
log on to an account.
Browser
Compatibility - VeriSign SSL Certificates are compatible with virtually
every browser in use today. SGC-enabled SSL Certificates enable every site visitor
to connect at the strongest SSL encryption available to them. Microsoft Internet
Explorer 7 supports Extended Validation SSL. Firefox and Opera have announced their
intention to support Extended Validation SSL in upcoming browser releases.
Validity Period
- VeriSign offers 1-, 2-, and 3-year SSL Certificates, which may be renewed within
90 days of expiration. To ensure uninterrupted service, renew at least 30 days before
the expiration date. You will not lose the remaining validity period of the existing
certificate by renewing early. To reduce costs and management time, VeriSign recommends
multi-year certificates. (SSL Certificates with EV are available with 1- or 2-year
validity periods).
|