Internet users are trained to recognize the signs and symbols of secure websites — from the HTTPS in the URL to a lock icon in their browser. Is your website correctly configured with a digital certificate to provide your users with confidence that the information they share is being transmitted securely?
HTTPS: An Introduction
All web communications take place using a standard protocol — the HyperText Transfer Protocol (HTTP) — that defines the format of communications between web servers and web browsers. The basic HTTP protocol is a cleartext protocol that transmits data across a network in an open format. This unfortunately makes it vulnerable to eavesdropping and is not suitable for the transfer of sensitive information, such as passwords, credit card numbers or trade secrets.
Organizations seeking to exchange this type of information over the web must turn instead to HTTP Secure (HTTPS), which adds security to the standard HTTP protocol through the use of encryption.
As with other forms of encryption, HTTPS depends upon the use of an encryption key to secure information flow. In this case, each web server has its own public encryption key, which is made available to any user seeking to establish a secure web connection.
In order to ensure the security of communications, the user’s browser must have some way to verify that the public key presented by the server actually belongs to the organization claiming ownership.
That’s where digital certificates come into play. When Bank XYZ sets up its website, it must contact a trusted third party, known as a certificate authority (CA), and request a digital certificate for its server. The CA is then responsible for verifying the bank’s identity and issuing a certificate that contains the bank’s public key, which is digitally signed by the CA.
When the user visits Bank XYZ’s website, the browser automatically retrieves the digital certificate, verifies the signature to ensure that it was issued by a recognized CA, and then uses the public key to create a secure connection between the browser and the server.
Obtaining a Digital Certificate
The process of securing a digital certificate is fairly straightforward. Simply create an account with a certificate authority, submit to a basic identity verification process and provide server details and a credit card number. The CA then verifies the information and issues a digital certificate containing the organization’s public key and the CA’s digital signature.
In some cases, it might be possible to skip the CA altogether and create a digital certificate oneself at no cost. These certificates, known as self-signed certificates, work in the same manner as CA-issued certificates but they function only in an environment that is configured to trust self-signed certificates. Typically, these self-signed certificates are useful for internal web applications accessed by employees, while public-facing applications usually require CA-issued certificates.
While shopping for a digital certificate, be sure to choose a reputable CA that is trusted by the major web browsers. But beyond that, budget should drive the decision. A digital certificate that costs $499 from one CA is just as good as one that costs $99 from another CA.
One upgrade option worth considering is the extended validation (EV) certificate. These certificates require extensive identity verification by the certificate authority, and while they aren’t necessary for a secure website, they are a worthwhile enhancement for sites that handle extremely sensitive information. Financial institutions, in particular, frequently choose EV certificates.
Managing Digital Certificates
Once the digital certificate has been installed on a website, it’s important to manage it on an ongoing basis. While digital certificates don’t require extensive ongoing work, it’s important to monitor the inventory of certificates to ensure that they are protected.
Maintaining a detailed inventory of certificates — including the identity of the CA that issued each, the server(s) using each certificate and their expiration dates — is a must. Many CAs offer certificate management dashboards for organizations that consolidate their certificates under one CA.
Failure to manage certificates can result in visitors seeing an ominous warning that the site may not be secure. This message won’t disappear until the certificate is replaced with a renewed copy.
The other major task facing certificate administrators is ensuring that the private keys associated with certificates are safeguarded from disclosure. Certificate admins should verify that the server locations containing the keys have properly configured access controls and that all staff with access to the keys have undergone background checks.
Proper creation, installation and maintenance of digital certificates will ensure that customers are confident in an organization’s ability to protect their sensitive information from unauthorized disclosure. Don’t hesitate to invest the time and resources necessary to build a reliable certificate management program.