Embed Size (px)
Citation preview
Expert Advice
Issy-les-Moulineaux, 24th of March 2011
How to choose your SSL certificates for an effective protection of your web sites?
During the last few days, hacking practices have impacted multiple web sites that are extremely popular. The consequences of this cyber-attack have been the issuing of fraudulent SSL certificates. The identity fraud of the web sites lead to phishing activities: Internet users who thought that they were browsing on an official web site were in fact redirected towards a web site belonging to pirates. The risk that users have been facing include: theft of their digital identity or confidential data such as banking information. How could those attacks happen? What are the consequences? And how can they be avoided? Some first answers from Patrick Duboys, in charge of the SSL business at Keynectis. Let’s first look into what an SSL certificate is : It is a digital certificate for a web server that hosts web pages. It can be seen as the equivalent of a « digital passport ». It establishes the link between web pages (a domain name or a URL) and its owner (an organization or an individual). It authenticates the server and secures the digital transactions between the server and people who connect themselves to this server over the Internet. So what does an SSL certificate enables?
- It establishes trust through the authentication of the web site plus through the encryption of all the information that transit (private, confidential and banking information) between the web site and the person that uses.
- It guaranties the identity of the web site in order to prevent pirates from stealing it and then stealing from Internet users.
Why this attack has been possible and what are the consequences ?
An attack has allowed pirates to authenticate themselves as an authority that was granted the right to issue certificates. Some browsers do not check the CRL* nor do they use the OCSP*. The forged certificates have been used widely over the Internet. Nine certificates have been issued, including 8 very popular ones. Phishing practices have been possible. Internet users going to what they thought were legitimate web sites may have had their identity or personal data stolen from them.
There are simple solutions to prevent ourselves against such attacks: SSL Extended Validation certificates.
SSL certificates are the most effective way to avoid such situations. But be aware that on the market there are two types:
- The « standard » SSL certificates - And the SSL Extended Vailadation (EV) certificates
These types of certificates are today one of the only real protection agaisnt phishing that are today available on the market. They have been created as a direct answer to the increased fraud on the Internet in order to build up the confidence of consumers doing on-line transactions. The SSL Extended Validation standard improves the visual aspects in highly secured web browsers. SSL EV certificates are the only ones to display the name of the organization in a green address bar. The delivery of EV SSL certificates is subject to even more thorough verifications such as complex procedures, regular audits of processes. These requirements allow the delivery of certificates with the highest level of security. * OCSP (Online Certificate Status Protocol) : This is an Internet protocol used to check the validity of an X.509 digital certificate. CRL (Certificate Revocation List) : This is the list of the certificates that have been revoqued and that are therefore not valid nor trustworthy anymore. For any outlook or expertise on this subject, please contact OXYGEN in order to be put in contact with Patrick Duboys who is in charge of the SSL Business at Keynectis. About Keynectis: KEYNECTIS is a software and SaaS provider, fully focused on Information Security Technologies. Pioneer of Cloud Computing, with more than 12 years of experience, KEYNECTIS proposes a wide offer ensuring secured digital identity management as well as digital documents and transactions security for government bodies, financial institutions, and corporates worldwide.
With more than 20 million digital identities protected and 450 million digital transactions secured every year, KEYNECTIS is a European leader on Information Security Technologies.
Learn more at www.keynectis.com
Media contact Keynectis contact OXYGEN Caroline Drobinski Tatiana Graffeuil / Estelle Deswarte +33 1 55 64 22 85 +33 1 41 11 37 89 [email protected] [email protected]
