View Full Version : The Case For SSL Certificates on Your Website

09-14-2006, 07:42 PM
This article spells out the best reasons to add an SSL Certificate to your website if you sell ANYTHING. Written by an executive of VeriSign, you should feel justifiably compelled to purchase yours from VodaHost at the extremely affordable price available to get the results you deserve....

No Fear

Give the green light for online buying with high-assurance SSL certificates
By Tim Callan

Phishing and other forms of online fraud continue to be a growing problem, impacting online businesses and creating distrust among customers. According to a recent survey by Forrester Research, 84% of respondents—representing more than 119 million adults—believe businesses are not doing enough to protect them and 24% did not make purchases online at all due to security concerns. Security vendors and online retailers have been working tirelessly to bring trust to the Internet, and, as a direct response to the rise in Internet fraud as well as an effort to regain consumer trust and confidence, a new form of SSL certificate, referred to as a “high-assurance” SSL certificate, is due for release later this year.

This new standard is considered the biggest improvement in online trust infrastructure since 1995, when the original SSL standard and its implementation were created. That standard established a secure backbone that enabled the growth of e-commerce, online banking, and many other confidential online business applications as we know them today. It is only in the past few years that online criminals have made large exploits into some of the weaker parts of this secure backbone. The industry is establishing this new high-assurance standard to counter criminal progress and retain the high level of trust that SSL security has earned throughout the ecosystem.

Building confidence
The new certificates will demonstrate that a given site’s identity has been authenticated according to a specific process that the high-assurance standards committee has determined to be reliable based on the measured results of this process, so that consumers can be confident that the site they are connecting to is authentic and safe for shopping. Leading browsers will display these certificates differently than they do traditional SSL certificates, giving the online shopper increased information about the security decisions of the sites they connect to.

The first browser to take advantage of these new SSL certificates is expected to be Internet Explorer 7, which is available in beta release now and due in final release later this year. Consumers will see a distinct change in the browser when accessing a site that has been issued a high-assurance certificate, which will change the color of the address bar to green, the standard computer GUI color for “okay to proceed.” The browser also will display the name of the organization to which the certificate was issued and the name of the SSL certificate authority who issued the certificate (such as VeriSign or Thawte) immediately to the right of the address bar at the top of the browser.

“Standard authentication” SSL certificates will continue to appear in browsers the same way they do today. The address will begin with the letters “https,” and a lock icon will appear in the browser interface. But the address bar will not turn green and will not display the organization name. Site visitors, therefore, will know that the web site is secured by an SSL certificate and their communication with the site is encrypted, but without the green light they won’t expect the same high level of authentication indicated by a high-assurance SSL certificate.

Market adoption
In the absence of a high-assurance certificate, a retailer runs the risk of unnecessary abandonment. And in a competitive situation where one site has high-assurance SSL certificates but others in the same category do not, there’s a real chance of customers migrating away from the sites without the “green bar” in favor of those with one.

A group of leading SSL certificate authorities, or CAs, and browser vendors, is developing a standard practice of certificate validation and method of display. Once the standard is finalized and approved, a CA must adopt the new high-assurance practices and pass an audit by an approved third-party auditing firm in order to be able to issue high-assurance SSL certificates. Internet Explorer 7 already has support for these certificates built into the beta version that’s available for download today, and other leading browsers such as Mozilla Firefox and Opera are expected to support this new standard as well.

Since the new certificates are built upon the existing SSL protocol, they will be 100% backward compatible with browser versions and operating systems released prior to the high-assurance standard. That means retailers will be able to take advantage of the new high-assurance functionality without losing support for a single customer. Visitors using new browsers will get the “green light” while those using older browsers will have the exact same SSL experience they have today.

Blocking criminals
The browser and the certificate authority control the display of both the certificate’s high-assurance status and the certificate organization’s name. That makes it especially difficult for phishers and counterfeiters to build web sites that will appear to be high-assurance protected. Likewise, the standardized authentication will help ensure that criminals cannot obtain certificates for the sites they are attempting to imitate.

In order to qualify for high-assurance SSL certificates, online retailers will need to demonstrate the following:
> The retailer owns or has the right to use the domain in question.
> The retailer is a legally formed entity doing business under the appropriate name.
> The certificate requestor is in the employ of the retailer.
> The certificate requestor has the authority to obtain this certificate on behalf of the retailer.

There are some things a retailer can do to assist the CA in a smooth and speedy authentication. For example, as part of the industry specification for high-assurance certificates, an officer of the retailer may have to confirm the authority of the person requesting the certificate on the retailer’s behalf. Making sure the necessary officer is available to provide this confirmation can shorten the time required until your organization can begin using these certificates. This officer will have to be listed as an officer in public documents so that the certificate authority can confirm that this authority is validly given.

Before a retailer can order an SSL certificate, it must submit a certificate signing request, or CSR. The CSR must state exactly how the retailer wants its name to appear in the browser interface, including accurate capitalization and the correct use of suffixes such as Inc. or Ltd. For instance, a merchant might officially use the name Buy Lotsa Stuff, Inc., but market itself under the name Buy Lotsa Stuff. In that case, it’s important to make sure that the CSR contains the business name as “Buy Lotsa Stuff” as opposed to “Buy Lotsa Stuff, Inc.” or “Buy lotsa stuff” or even “BUY LOTSA STUFF.” All these versions would be acceptable representations of the merchant’s name by the standards of the high-assurance specification, and the certificate authority would be able to issue the high-assurance SSL certificate. On the other hand, only one of them represents the specific brand this retailer has decided to show to the public. That’s the brand the retailer should make sure appears in the browser.

Tuesday-Wednesday problem
One problem in particular can come about if a retailer has multiple certificate types deployed across a site simultaneously. Often businesses stagger their certificate validity periods across servers to reduce the risk of downtime. In the case of a visible security upgrade like a high-assurance SSL certificate, however, this presents what can be called the Tuesday-Wednesday problem.

Say BuyLotsaStuff.com is a fairly sizable e-commerce site with multiple servers providing different parts of service. If it pursues a staggered deployment of certificates across its servers, there will be a time during which some of the servers will have high-assurance SSL certificates and others will not.

If a visitor comes to the site on Tuesday and winds up on one of the servers with a high-assurance SSL certificate, she’ll receive a green light in her browser, know she’s on the right site and feel confident enough to make a purchase. But say she then puts something in her shopping cart and decides to wait until the following day to make a purchase. When she returns on Wednesday to finish her transaction, she winds up on a different page that does not yet have a high-assurance SSL certificate. Without the green light in her browser, she may think the site has lost its high-assurance status and abandon her purchase.

As adoption of high-assurance-enabled browsers increases, the magnitude of the Tuesday-Wednesday problem will also increase. In particular, when Windows Vista comes out of beta early in 2007 and becomes the default operating system on all new personal computers, it will contain IE7 as its installed browser, and at that time adoption rates should increase dramatically. Other leading browsers such as Firefox are also likely to take advantage of these certificates, so businesses should transition their public-facing servers over to high-assurance SSL as soon as they can.

High-assurance SSL certificates are the next step in combating the activities of phishers and other cybercriminals and will offer a fundamentally new and better browsing experience for online shoppers. As these certificates become visible on banks, top e-commerce sites, and other sites that lead the way in online security, online shoppers will expect to see them on all sites. Online retailers who do not participate with these new high-assurance SSL certificates will miss out on the opportunity to increase customer confidence and sales.
Tim Callan is director of product marketing for VeriSign Inc.

- Internet Retailer (September 2006)

09-14-2006, 09:14 PM
Great article, click the below to learn more about our SSL certificates...