Tag Archives: SSL certificate

Have you read the news lately? It seems like hardly a week can go by without another data breach happening.

In the past few years, cybercriminals have upped their game considerably, using incredibly sophisticated attacks in growing number. Out of every six large companies, five were targeted last year for attack—that’s a 40% increase over 2013.*

The recent breach on federal employees’ private data, allegedly from China, only underscores the continued looming menace cybercriminals present—and this threat hasn’t gone unnoticed by the feds.

In a January 12 post on the White House Blog, President Obama is quoted as saying: “This is a direct threat to the economic security of American families, and we’ve got to stop it.” Further adding, “If we’re going to be connected, then we need to be protected.”  So true! And that line of thinking is what prompted the U.S. government’s latest move.

To help combat these attacks, the White House has mandated that all public-facing Web sites of the federal government must implement HTTPS within the next two years.

This is no minor security update. It carries far-reaching implications that extend beyond the fed. Here’s what we mean.

What HTTPS Offers to Everyone

HTTPS provides a secure line of communication over the Internet, combining the usual HTTP (Hypertext Transfer Protocol) that you see in the address bar of unsecure sites, with SSL (Secure Sockets Layer) that you’re likely to see on most sites involving financial transactions.    

This federal move shouldn’t come as a surprise, as the majority of the U.S. government sites have already made the switch to the secure protocol. This includes whitehouse.gov, which made the switch on March 11, 2015, to other federal sites that made the jump earlier, like ftc.gov, donotcall.gov, and others.

This goes beyond the initial site communication handshake—drilling down to subdomains, like examplesection.whitehouse.gov, too.

Up until now, many government sites are current with NIST-recommended SSL standards, but the administration has now moved to make prioritizing security and privacy a common practice among all aspects of federal government sites.

Make no mistake about it, this is huge!

These extra security measures follow the Always On SSL tenets advocated by the Online Trust Alliance, exhibiting some of the strongest moves yet to protect the identity and personal information of U.S. citizens online.

Others Must Follow, Strengthening the Security of the Web

Cybercrime isn’t going to easily back down.

Now, it’s far too easy to compromise private information on sites with subpar security. Today’s cybercriminals are smart and tenacious. By protecting all aspects of a site with SSL—not just transaction pages—businesses can help quell social engineering techniques. These complex ruses can now fool even the savviest netizens into handing over their private information to the bad guys.   

Nothing is 100% unhackable now and forever. But just like locking your car doors when you’re out, providing as much security as possible is still a good great idea! By expanding the coverage of SSL, we help further the strength and backbone of the Internet itself.

*2015 Internet Security Threat Report, Volume 20

In 1994, the first online purchase crossed the World Wide Web: a large pepperoni pizza with mushrooms and extra cheese from Pizza Hut. Over the next 20 years, e-commerce has exploded into a bustling economy, exceeding $1.2 trillion in sales in 2013.

This growth in online purchases rests upon a foundation of trust. People trust that the websites they use to track finances and make online purchases are secure and legitimate largely because of Secure Socket Layer (SSL) certificates- otherwise known as that little green padlock in the URL bar of the browser.

SSL certificates verify that the provider is who they claim to be and also indicate secure connections between personal devices and company websites. Understanding SSL certificates is important to help prevent falling victim to scammers. Because at the end of the day, not all sites, or SSL certificates, are created equal.

Different types of certificates

Website owners purchase SSL certificates through Certification Authorities (CA). There are three different types of SSL certificates, each providing a different level of security. The problem is that, even though all of these certificates provide the safety padlock in the URL bar of a browser, along with the HTTPS (“S” indicating “secure”) in the address bar,  the levels of security between types of certificates differ greatly. This is why it is important to understand what kind of SSL certificate a site is using when looking to perform financial transactions or anything involving personal user data.

• Domain validated (DV): This simply verifies who owns the site. It’s a simple process where the CA will send an email to the website’s registered email address in order to verify their identity. No information about the company itself is required. Cybercriminals commonly use DV certificates because they are easy to obtain and can make a website appear more secure than it actually is. For instance, fraudsters may use DV certificates to lure consumers to phishing websites that look authentic, or to cloned websites that look legitimate, but are designed to steal sensitive information.
• Organizationally validated (OV): To receive an OV certificate, a CA must validate certain information, including the organization, physical location and its website’s domain name. This process typically takes a couple of days.
• Extended validation (EV): This certificate has the highest level of security and is the easiest to identify. In order to issue an EV certificate, the CA performs enhanced review of the applicant to increase the level of confidence in the business. The review process includes examination of corporate documents, confirmation of applicant identity and checking information with a third-party database. In addition to adding the padlock in the URL bar of the browser, the “S” part of HTTPS, this adds the company’s name in green in the browser URL bar.

Can you tell the difference?

Clearly, the last URL is an EV certificate. The first is the DV certificate and the second is an OV certificate, which both look identical to each other.

What can people do to stay safe?

Now knowing what a SSL certificate is, the three different types, and that DV-enabled sites pose a risk for scams, how can users reduce the risk of shopping or performing other sensitive transactions online?

1. Be aware! Just because a website has the padlock or “https” next to a URL doesn’t make it safe for financial transactions. Users have learned to look for those two things before conducting a transaction, which is exactly why cybercriminals are going through the trouble of obtaining SSL certificates in the first place – to look like a legitimate site.
2. Know how to look for the type of SSL certificate a website has. As a first step, look for visual cues indicating security, such as a lock symbol and green color in the address bar. Only EV-enabled websites include the company name in the web address bar. Browsers do not distinguish a DV certificate from an OV certificate, however. To make it easy to tell the difference, Norton has created a free tool. You simply paste a URL directly into the tool and it will tell you if the site is DV-, OV- or EV-enabled, with results clearly highlighting how safe a site is.
3. Only conduct transactions and provide sensitive data to sites that have OV or EV certificates. There’s a time and place for DV certificates, but that doesn’t include using them for e-commerce sites. If you drop a URL into the Norton tool and the tool reports that the site has a DV certificate, rethink conducting any type of transaction via that site. If it’s an OV or EV certificate site, you know that the business information has been confirmed.

Let’s face it – online shopping isn’t going away. Until the industry requires an OV or EV certificate for e-commerce sites or an easier way to identify the types of certificates, people will have to bear some of the burden of combatting cyber risks. Knowing the risks ahead of time, consumers are less likely to be duped by phishing websites.

Readers can find more information on SSL certificates in this recent Symantec whitepaper or by visiting our Trust Services page.

As you might imagine, the Trust Services team at Symantec found ourselves scratching our heads last week when one of our competitors in the SSL market announced that it was now the “number one” certification authority in the world.  How could this claim be real, we questioned?  After all, for over 20 years, market analysts and customers alike have recognized Symantec as the leading and most trusted provider of SSL certificate products, solutions, and services around the world. 

With our curiosity piqued, we did a quick check of the most recent market reports and metrics from both Frost & Sullivan and Netcraft, the two most respected SSL market analysts in the industry.  While Frost & Sullivan analyzes the SSL market from a business perspective based on the revenue share of the various competitors, Netcraft actually crawls the Internet to analyze webservers and SSL certificate information to quantify market size and share.

Their studies continue to show Symantec at the top of the market (see chart below). 

Numbers aside, at Symantec, we believe “leadership” is earned rather than claimed.  Symantec’s success has largely been the result of our award-winning track record of Trust, Reliability, and Speed for our customers.  Over the years, we’ve demonstrated best-in-class OCSP response times allowing for faster and more secure web transactions for online businesses and consumers around the world.  Moreover, the Norton Secured Seal has continuously been displayed over half a billion times per day on websites in over 170 countries, serving as the most recognized trust mark on the Internet.  Over the past 2 decades, during the

tremendous growth of Internet activity and increased security threats, Symantec’s global infrastructure has NOT ONCE been compromised, never suffering a breach.  On the other hand, less than a week after this competitor claimed to be “number one” in the SSL market, the U.S. Department of Homeland Security reported on PrivDog, an SSL tampering tool associated with the competitor (see http://www.theregister.co.uk/2015/02/24/comodo_ssl_privdog).

So we’ll let the market decide, while we continue to do our best for our customers, earning every bit of trust that we can each day.