MENU
  • Enom.com
  • Resellers

Enom Blog

SSL
Category

  • The Importance of Authentication in SSL

    July 23, 2019

    Advice, SSL

     Like

    Views: 2010

    Update: Our latest Digicert Webinar covers the importance of authentication in SSL, and how it’s a key factor in properly marketing and selling certificates:

    Browsers have evolved to offer a better user experience and greater attention to security. Perhaps most importantly, they now display a security warning to users when they land on a website that lacks encryption:

    This is a step forward to a safer Internet, but encryption is only part of the security equation. 

    Without a means to verify the owner of that website, the user can’t be sure who they are sending their information to. 

    When SSL certificates were first introduced, they served both these critical purposes:  

    1.  Encrypting the data in transit

    2.  Authenticating the website to which the data is being sent

    They were issued by a small handful of Certificate Authorities (CAs), accredited and compliant third parties able to provide both encryption and authentication of your website. 

    But as the Internet grew, so did the number of CAs in the market, and the variety of SSL options. And what was the main differentiating factor among these certificates? The level of authentication they provided.

    Today, SSL products range from free “encryption-only” certificates, which can be registered in a matter of minutes, to Extended Validation (EV) SSL certificates, which, as their name suggests, involve a thorough validation (authentication) process as part of their registration. 

    When choosing an SSL certificate for your site, or helping a customer select one for theirs, your main question should be: what level of authentication do I need? After reading this blog, the answer will be clear.

     

    Minimal Authentication: Domain-Validation (DV) Certificates 

    DV certificates are often described as “encryption-only” because they don’t provide confirmation of who the website owner really is. To register a DV certificate, the website owner simply needs to prove ownership of the domain name(s) they are trying to secure. 

    Think of a DV certificate like a library card: they are easy to obtain and aren’t considered a credible form of identification. 

     

     

    When to use a DV certificate

    These certificates are sufficient if you’re securing a page just to maintain browser compliance (and avoid those warnings), or if you’re hosting a site that purely provides information and you want it done securely.

     

    Basic Authentication: Organization-Validation (OV) Certificates

    Before issuing an Organization-validated certificate, the Certificate Authority vets the organization and individual applying for the certificate. If a website visitor chooses to view the OV certificate, they’ll find this verified company information included in the details. 

    You can think of an OV certificate like a driver’s license: obtaining one involves a bit more hoop-jumping, but they are better trusted as a form of identification. 

     

     

     When to use an OV certificate

    If you collect any basic personal information from your users, for example, login credentials, they’ll likely want to know who they are sending this information to. An OV certificate from a reputable CA may provide sufficient authentication and assurance in these cases. 

    However, Extended Validation certificates (see below) are often a better fit for e-commerce pages or business-critical sites where consumer trust is particularly important.

     

    Advanced Authentication: Extended-Validation Certificates

    Extended-validation (EV) certificates involve the most rigorous authentication process and, consequently, provide the highest level of assurance to website visitors. 

    What’s more, as mentioned above, they do this in a very obvious way: a green address bar that includes the name of the company. Finally, the CA Browser Forum, the SSL industry’s governing body, sets specific guidelines to govern the registration and authentication process for EV certificates. 

    These factors combine to make EV certificates the gold standard, and the assurance they provide becomes ever more essential as the average Internet user becomes savvier and security standards rise. 

    Continuing with our analogy, EV certificates can be thought of as passports: they are internationally recognized as the most trusted way to verify a website owner’s identity.

     

     

    When to use an EV Certificate  

    We recommend using an EV if you’re looking to establish a high level of consumer trust or collecting sensitive information, which could range from login credentials to national identifiers, to credit card information. While not all browsers treat EV certificates the same way, for users, the additional visual cues can inspire trust and confidence to proceed with the transaction or activity.

     

    Looking to better market your SSL lineup?

    Our partners at DigiCert have some great resources to help you educate your customers and help them find the right fit.  Through your partnership with us, you have access to an array of brands and certificate types to help make sure you properly meet the needs of your specific customer for their specific project. You can view our SSL offering here.

     

    This post was sponsored by DigiCert, an Enom partner, and leading Certificate Authority.

     

     

    Read More

  • Why Choose an EV SSL Certificate?

    June 13, 2018

    Advice, Featured, SSL

     Like

    Views: 4164

    Identity theft and browser warnings are growing concerns among consumers. And while you may think enabling SSL on your website will allay these fears, failure to select the right TLS/SSL certificate can erode customer trust. To regain trust, site owners need an easy, reliable way to show customers that transactions are secure and that the site operator is who it says it is. But with the variety of TLS/SSL certs available – DV, OV, or EV – figuring out the best certificate for your business can be confusing. There are major differences in how domains are validated, and the following outline provides some key insights as to which certificate to select for your specific needs.

    Domain Validation (DV) SSL Certificates

    DV certificates prove ownership of the actual domain through a simple email validation process. DV certificates can be issued in minutes, show trust indicators in browsers (like the padlock icon), and enable HTTPS.

    However, DV certificates do not vet the legitimacy of an organization and should not be used for e-commerce sites. Accordingly, DV certificates are best for internal sites, test servers, test domains, and for small to medium-sized businesses seeking cost-effective security.

    Organization Validation (OV) SSL Certificates

    OV certificates provide the same level of protection as DV certificates but go one step further. With an OV certificate, the Certificate Authority (CA) confirms the business is registered and legitimate, checking details such as business name, location, address, and incorporation or registration information, making these certificates more suitable for public-facing websites.

    An OV certificate will also enhance a website’s reputation, providing customers greater assurance in conducting e-commerce transactions.

    Extended Validation (EV) SSL Certificates

    EV SSL certificates provide the highest level of trust, giving customers greater confidence that they are conducting business through trusted websites. EV SSL certificates are the industry standard for e-commerce websites. An EV SSL certificate triggers high-security web browsers to display an organization’s name in a green address bar and show the name of the Certificate Authority that issued it:

    EV SSL certificates confirm site identity and validate the organization according to rigorous industry guidelines established by the CA/Browser Forum, including a strict vetting process using techniques that have been proven reliable in protecting the internet’s most valuable online businesses for more than ten years.

    EV SSL certificates are a good choice for businesses, as these certificates can enhance credibility by showing suspecting consumers that sites are legitimately what they purport to be and that a business is serious about protecting the data of its customers.

    Summed up, for the greatest level of website security, EV SSL certificates are the best choice.

    Find Out More

    This post was sponsored by Comodo CA, one of our trusted SSL providers. For more information about SSL, and a complete list of their products, visit www.ComodoCA.com.

    Read More

  • A Guide to Choosing the Right SSL Certificate

    May 24, 2018

    Advice, Featured, SSL

     Like

    Views: 4300

    A parent preparing a toddler for her first beach vacation and a seasoned kayaker preparing for Zambia’s Ghostrider rapid will not reach for the same life jacket. In the world of digital security, the purposes and specs of the various products are also highly relevant to the consumer, although the differences between them may not be so immediately clear. But in both cases, it’s important that the customer find the right fit. Whether you’re a business owner looking for the right SSL certificate for your own website or a domain provider looking to curate a solid SSL offering for your own customers, here’s what you should know about TLS/SSL certificates and what to look for when selecting a certificate provider.

    What are TLS/SSL Certificates?

    SSL is short for “Secure Sockets Layer,” and SSL certificates are used to secure communications between a website, host, or server and the end users that are connecting to it (or between two machines in a client-server relationship). An SSL certificate confirms the identity of the domain name (for example, ComodoCA.com) that is operating the website and enables encryption of all information between the server and the visitor to ensure the integrity of all the transmitted information.

    Why are TLS/SSL Certificates So Important?

    Identity theft and browser warnings are growing concerns among consumers. Failure to select the right TLS/SSL certificate for your website can erode customer trust and lower your rate of completed transactions, negatively impacting your bottom line.

    How SSL Encryption Works

    Encryption makes use of keys to lock and unlock your information, meaning you need the right key to “open,” or decode, the secured information.

    Each SSL certificate comes with two keys:

    • A public key, which is used to encrypt (scramble) the information.
    • A private key, which is used to decrypt (unscramble) the information and restore it to its original format to make it readable.

    Where Are SSL Certificates Used?

    SSL certificates should be used in any instance where information needs to be transmitted securely. This includes:

    • Communications between your website and your customers’ internet browsers.
    • Internal communications on your corporate intranet.
    • Email communications sent to and from your network (or private email address).
    • Information between internal and external servers.
    • Information sent and received from IoT and mobile devices.

    Determining If a Site Has a Valid SSL Certificate

    A website without an SSL certificate displays “http:// ” before the website address in the browser address bar. This moniker stands for “Hypertext Transfer Protocol,” the conventional way to transmit information over the Internet. Most internet users are aware that this indicates a website is not secure and historically have looked for  https:// and a closed padlock symbol in their browser window to confirm that they are on the site of an authenticated organization:

    However, it’s no longer sufficient for business websites to simply enable HTTPS and display the standard padlock symbol to their visitors. Online consumers are demanding assurance that the identity of the website they are visiting has been verified by authentication procedures that are proven to be highly trustworthy. And this assurance is provided in the form of an Extended Validation (EV) SSL certificate. EV certificates display a hard-to-miss green identifier in the URL bar and indicate to the visitor that the website was subjected to extensive scrutiny by the issuing Certificate Authority. The consumer can be confident that they are at a legitimate website, not a phishing website.

    That’s not to say an EV certificate is necessary in every situation. But they can generate a higher level of consumer trust than other options, such Organization Validation (OV) certificates, or Domain Validation (DV) certificates, which undergo far less scrutiny.

    Choosing between EV, OV, and DV Certificates

    Domain Validation (DV) SSL Certificates

    DVs are best for small- to medium-sized businesses seeking cost-effective security with no need to establish site visitor trust. Issuance of a DV certificate simply requires proof of ownership of the associated domain name, which is provided through a simple email validation process. These certificates can be issued in minutes, enable HTTPS, and display a clear indicator, such as the padlock symbol, in internet browsers.

    However, DV certificates do not vet the legitimacy of the organization the website represents and should therefore not be used for e-commerce sites or sites that deal in sensitive information. They are, however, a great option for many internal sites, test servers, and test domains.

    Organization Validation (OV) SSL Certificates

    OV certificates provide the same level of protection as DV certificates but go one step further than simply requiring proof of domain ownership. With an OV certificate, the issuing Certificate Authority confirms the business associated with the domain name is registered and legitimate by checking details such as the business name, location, address, and incorporation or registration information. This makes the OV certificate a more suitable option for public-facing websites that represent companies or organizations.

    Extended Validation (EV) SSL Certificates

    EV certificates provide the highest level of trust by assuring consumers that they are conducting business through a trusted website. For this reason, these certificates have become the industry standard for e-commerce websites. EV SSL certificates trigger high-security web browsers to display a green address bar that includes the name of the company or organization that owns the domain. They also show the name of the issuing Certificate Authority:

    Confirmation of the website’s identity and validation of the organization is carried out according to the rigorous industry guidelines established by the CA/Browser Forum and involves a strict vetting process that is shown to be effective over the course of more than ten years of real-world use.

    EV SSL certificates are essential for large businesses or e-commerce sites as they can enhance credibility by showing discerning consumers that a prospective transaction is with a legitimate recipient and that the site is serious about protecting the data of its customers.

    What to Look for When Choosing a Certificate Authority (CA)

    As the world’s largest commercial Certificate Authority, Comodo CA is proactively monitoring for potential threats and attacks, working hand-in-hand with government agencies, browser providers, and our customers, to ensure it is keeping up with the ever-changing market.

    When evaluating a CA, be sure that it:

    1. Follows CA/B Forum Baseline Requirements.

    This industry group consisting of Certificate Authorities and browser manufacturers developed standards that each CA must meet for its roots to remain trusted in browsers. These include:

    • All information contained within the certificate must be validated to be true through a strict, clearly defined authentication process.
    • Certificates must meet specific minimum levels of cryptographic strength to protect the integrity of the certificate and private key from evolving threats.
    • Certificates must not exceed maximum specified durations.
    • CAs must follow guidelines for CA security, certificate revocation mechanisms, audit requirements, liability, privacy and confidentiality, and delegation of authority.

    2. Conducts Annual Audits – Both WebTrust and SOC 3

    Annual audits are crucial to CA security, yet not every CA makes them a priority. At a minimum, your CA should meet these auditing standards.

    • Maintain membership in the WebTrust program for CAs
      The WebTrust for Certification Authorities program was developed to increase consumer confidence in the Internet as a vehicle for conducting e-commerce and to increase consumer confidence in the application of PKI technology. Comodo CA, for example, undergoes an annual audit from Ernst & Young, which validates that:
    • The Certification Authority (CA) discloses its SSL certificate practices and procedures and its commitment to provide SSL certificates in conformity with the applicable CA/Browser Forum Requirements.
    • Subscriber information was properly collected, authenticated and verified.
    • The integrity of keys and certificates is established and protected throughout their life cycles.
    • Logical and physical access to CA systems and data is restricted to authorized individuals.
    • The continuity of key and certificate management operations is maintained.
    • CA systems development, maintenance and operations are properly authorized and performed to maintain CA systems integrity.
    • The Certification Authority maintains effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum.
    • Submit to publish an annual Service Organization Control 3
      The SOC3 report is published to confirm that the security controls for this cloud service have been examined by an independent accountant. Again, as an example, Comodo CA undergoes an annual audit from Ernst and Young, to validate that Comodo CA has maintained effective controls over its system as it relates to four core principles: security availability, processing integrity and confidentiality.

    To sum it up…

    Trust is everything in the world of online business. Investment in technology to protect customers and earn their trust is a critical success factor for any company that does business online or hosts an e-commerce website.  The effective implementation of TLS/SSL certificates is a proven tool to help establish customer trust. Check out Enom’s lineup of Comodo Certificates, or browse our full inventory of SSL products.

    Looking to learn more?

    This post was sponsored by Comodo CA, one of our trusted SSL providers. For more information about SSL, and a complete list of their products, visit www.ComodoCA.com.

    Read More

  • Google and Symantec resolve Chrome browser trust issues

    September 21, 2017

    Advice, Announcement, SSL, Uncategorized

     Like

    Views: 4676

    Update: February 8, 2018

    This blog post is a follow-up to the     information we published a few months ago regarding the Google-Symantec conundrum.

    Symantec and Google have agreed on a plan that requires Symantec to migrate certificate validation to a third party. In exchange, Google would ensure that the Chrome browser  continues to trust Symantec certificates validated by this third party. Shortly thereafter, DigiCert announced its plan to acquire Symantec’s Website Security Business by the end of 2017. With this acquisition, Digicert would effectively take over the validation for all of Symantec’s certificate brands by December 1st, 2017, which would satisfy the asks of the browser community.

    In light of these changes, Google has announced an updated plan as to how Chrome would deal with certificates issued by DigiCert’s validation infrastructure. This plan has received some coverage in the media, stating that Google would no longer trust any Symantec certificate brand by 2018. This information is incomplete, incorrect and it has created some confusion and uncertainty. Here’s what you need to know:

    • From December 1, 2017, all Symantec certificate brands (Symantec, GeoTrust, Thawte and RapidSSL) will be issued from DigiCert’s validation platform and Chrome will trust those certificates. For clarity: the Symantec certificate brands will continue to exist after December 2017, they will only be issued from a different, upgraded validation platform. Google will continue to trust all Symantec certificates that have been issued from this new platform after December 1st, 2017.


    What does this mean if you have a certificate from any of the Symantec brands?

     

    Certificates issued prior to June 1, 2016

    If you have a certificate that has been issued prior to June 1, 2016, the Chrome browser will no longer trust this certificate after March 15, 2018. In order to retain trust by the Chrome browser, you need to replace this certificate. Some important dates to keep in mind:

    • If the certificate expires prior to March 15, 2018, you need to do nothing. The certificate will continue to be trusted by Chrome until it expires.
    • If the certificate expires after March 15, 2018, but before September 13, 2018, you can re-issue this certificate any time before March 15, 2018.
    • If the certificate expires after September 13, 2018, you will need to re-issue the certificate before March 15, 2018.


    Certificates issued after June 1, 2016

    If you have an existing certificate that has been issued after June 1, 2016, the Chrome browser will no longer trust this certificate after September 13, 2018. Some important dates to keep in mind:

    • If the certificate expires prior to September 13, 2018, you need to do nothing. The certificate will continue to be trusted by Chrome until it expires.
    • If the certificate expires after September 13, 2018, you will need to re-issue the certificate before September 13, 2018.
    • If you have purchased a certificate after December 1, 2017, the Chrome browser will trust this certificate. You will not be required to re-issue.

    It is safe to continue to use Symantec certificates, but you will need to keep some of these key dates in mind to avoid any disruption. If your certificate has been purchased at any time with a 1-year validity period, it is very likely that no action is required on your part.

    We would like to remind you that re-issues for the Symantec family of certificates (Symantec, Thawte, GeoTrust, RapidSSL) can be done free of charge.

    Read More

  • Symantec and Google avert SSL meltdown

    June 7, 2017

    Announcement, Featured, News, SSL

     Like

    Views: 5391

    Google shook up the SSL industry back in March of this year when they released a proposal addressing “a series of failures by Symantec Corporation to properly validate certificates.” The outlined restrictions would effectively withdraw the Chrome browser’s trust in all certificates issued by Symantec. They notably included the removal of the green browser address bar, the primary visual indicator of Symantec-issued Extended Validation (EV) certificates.

    Though aimed at developers, the announcement sent waves of concern and uncertainty through the entire SSL industry and beyond. Symantec’s initial response defended their validation processes. However, details surrounding the alleged mis-issuance of thousands of certificates had already been released. It appeared that in the end, certificate holders were likely to suffer from the results of this power struggle.

    Since then, what was initially an explosive public debate has turned into a nuanced and constructive conversation, wherein both major players have taken on a more diplomatic stance. Both parties now seem committed to finding a way forward that will minimize the impact on Symantec customers and their end-users.

    Two months following the release of the initial proposal, Google and Symantec, with input from the rest of the Internet community, seem to have arrived at a common solution. On May 19, 2017, Google proposed an updated plan that would require Symantec to implement some significant changes to the way they operate their Certificate Authority (CA). In return, Google would continue to support Symantec certificates in their Chrome browser.

    Symantec responded to the new proposal last week, and while a few details still need to be ironed out, there appears to be general agreement on how to move forward. The good news is that most of the heavy lifting will fall to Symantec and, to some extent, the browser developers, instead of the certificate holders.

    Here’s what we can expect to see if this updated proposal is enacted:

    • Symantec would essentially rebuild its internal infrastructure from scratch over the next two years to create a new platform for certificate validation and issuance.
    • Until their modernized internal platform is ready, and its associated root keys are accepted across all major browsers, Symantec would work with 3rd-party CAs to perform the validation process. It’s important to note that the root keys tied to the previous platform would remain in place, allowing browsers to easily determine whether a certificate was issued from the old or new platform.
    • Partnering with trusted sub-CAs would allow Symantec to continue to issue Extended Validation (EV) certificates, and enable Chrome and other browsers to maintain trust for EV certificates and continue to display the green address bar.
    • Newly-issued certificates would be valid for longer than the 9-month period originally suggested by Google, though the exact length of the validation period is still being discussed.
    • Existing certificates, issued prior to June 1, 2016, might be gradually phased out and may eventually require revalidation. It is unclear at this time however, if this requirement is feasible, given the vast number of certificates that would need to go through the revalidation process.

    There’s still plenty of discussion about the details, but the nature of the conversation suggests that a solution, one which averts a major SSL meltdown, will be reached sooner rather than later. We’ll keep you updated as the fine points are finalized. The good news is that at present, there’s reason to remain confident in your existing SSL Lineup and selling practices.

    Read More

1 2 Next »

FEATURED POSTS

  • Tucows Celebrates 20 Years in the Domain Industry

    January 22, 2020

  • Our Ongoing Commitment to Combatting DNS Abuse

    October 18, 2019

  • We’ve refreshed our Webmail

    June 19, 2019

  • Colleagues review ICANN's temporary specification requirements.

    What Domain Resellers Should Know About ICANN’s Temporary Specification

    September 18, 2018

CATEGORIES

  • Advice
  • Announcement
  • Developers
  • DNS
  • Featured
  • Fun
  • GDPR
  • Industry Insight
  • New TLDs
  • News
  • Premium Domains
  • Promotion
  • Resellers
  • Roadmap
  • SSL
  • Uncategorized
  • WTB

ARCHIVES

  • March 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • September 2018
  • August 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • January 2016
  • December 2015
  • November 2013
Support
Report Abuse
Help Center
Contact Us

 Resources
WHOIS Lookup
Maintenance Alerts
Developers
Products & Services
Domain Name Search
Premium Domains
Web Hosting
SSL Certificates
Website Builder
Basic Email
Bulk Tools

© 2020 Enom Blog |