The Secure Sockets Layer (SSL) Protocol was adopted by Netscape in 1994 as a response to the growing concern over Internet security. Netscape’s goal was to create an encrypted data path between a client and a server that was platform or OS agnostic. Netscape also embraced SSL to take advantage of new encryption schemes such as the recent adoption of the Advanced Encryption Standard (AES), considered more secure than Data Encryption Standard (DES). Indeed, by June 2003, the US Government deemed AES secure enough to be used for classified information:
“The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. The implementation of AES in products intended to protect national security systems is certified by NSA ….” (Source: Wikipedia, Definition AES)
Updates were released, so that today version 3.0 has grown in popularity and become a standard. Further, SSL 3.0 is the version most Web servers support today.
What kind of trust do SSL certificates deliver?
Since its inception, the main role of SSL is to provide security for Web traffic including confidentiality, message integrity, non-repudiation and authentication. SSL achieves these elements of security through the use of cryptography and properly authenticated digital certificates.
SSL certificates, therefore, are critical for the user to trust a website operating from a server before sending private information to the server. But encryption is only one part of the “trust equation” that SSL delivers. SSL certificates issued under the X.509 standard ought to deliver information about the identity of the entity since certificates act as “digital documents” that verify that a specific public key does, in fact, belong to the specified entity. This identity verification helps the user to distinguish between authenticated and fraudulent websites.
Low Assurance SSL Certificates Create Gap in Online Trust
Certification authorities play a key role in establishing trust in online identities. Since a digital certificate is a statement of the identity of the entity or individual who wishes to be authenticated, a trusted third party is needed to validate the identity attached to the certificate. This third party is the certificate authority whose responsibility it is to deliver authenticated identity trust assurance for online entities.
Unfortunately, not all certification authorities adhere to similar standards in identity assurance. In fact, some certification authorities issue certificates without any processes to authenticate and verify the identity of the business requesting the certificate. Worse, these non-vetted certificates display the same yellow padlock as the identity assured SSL certificates. These “weak” validation certificates rely only on the Domain Name Registrar details to validate ownership, which provides virtually no identity assurance.
Let us look at the following example. Is www.ABCompany.com or www.ABC-company.com the real web page of ABC Company, or does one of the URL’s belong to a fraudster or impostor? To determine whether you are on the legitimate site would require further validation. If a website does not have identity authentication, any fraudster can procure the trusted yellow icon to launch phishing or pharming attacks from a fraudulent website because users cannot easily distinguish between low assurance certificates and the identity-validating high assurance certificates.
That’s why EV SSL certificates were introduced to close this trust gap.
When an EV certificate secures a site, the Microsoft Internet Explorer, Opera or Mozilla Firefox user will immediately see the address bar turn green when they visit the website. A display next to the URL will toggle between the organization name and the certificate and the certificate authority that issued the SSL Certificate. The green bar means that a third party has authenticated the identity of the business. Other browser vendors will also provide a similar display
SSL is vital to Web security. It provides a strong sense of confidentiality, message integrity, and identity authentication to users. The business of e-commerce is tied closely to consumer confidence in the identity assurance aspect of SSL certificates across the net.
As a result, in the future SSL certificates will evolve to offer more security and identity assurance. The encryption of key lengths, cipher suites and new guidelines for SSL certificates will also evolve to ensure a consistent level of identity verification during online transactions. This way, e-commerce will be able to continue to grow as users grow more confident in shopping and banking online.