PAPER

WHITE PAPER

Choosing a Cloud Provider with Condence

SSL Provides a Secure Bridge to the Cloud

How to Choose
A Certificate Authority For Safer Web Security

How to Choose A Certificate Authority For Safer Web Security 1

How to Choose A Certificate Authority For Safer Web Security

Contents
How to Choose A Certificate Authority For Safer Web Security....... 3
The Role of Certificate Authorities........................................................................ 3
Why Do Sites need to Be trusted?......................................................................... 3
How Do People Using the Internet Know When to trust A Site?.... 3
What Is A CA And What Are the Different types of
SSL Certificates?................................................................................................................. 4
How CAs Have Come Under Attack..................................................................... 6
What Measures Can a CA take to Promote trust In Its Certificates? 6
GeoTrusts Commitment to Security................................................................... 7
The Gold Standard In Physical And network Security............................ 7
White Hat Reality Check............................................................................................... 9
What Does the Future Hold?..................................................................................... 9
More Information..............................................................................................................10

How to Choose A Certificate Authority For Safer Web Security 2

How to Choose A Certificate Authority For Safer Web Security

The Role of Certificate Authorities
Why Do Sites need to Be trusted?
As use of the Internet has become increasingly commonplace and crucial to a wide range of
applications, criminals have found an ever-growing group of people they can target. Criminals are
exploiting Internet users in many ways, including:
using social engineering, bogus links, spam and phishing to direct people to fraudulent
websites that resemble the sites that they frequently use.
setting up websites to be malicious destinations.
hijacking user accounts and information by intercepting the data shared between people
and websites through man-in-the-middle attacks such as the well-known Firesheep plug-in.
fooling people into consciously or unconsciously giving up confidential details that can then
be used for fraudulent purposes.
putting malware onto a users computer that quietly turns the machine into a tool for
further crime.
spoofing a domain, which may allow a criminal to impersonate someone sending email
from that domain or spying on their conversations. This is not just a consumer problem
businesses internal email systems can be compromised in this way too, opening them up to
industrial espionage.
Apart from hurting users, this activity is detrimental to the brand of the real site being spoofed. Trust is
harmed when the user no longer feels safe.

How Do People Using the Internet Know When to trust A Site?

Fortunately, people are becoming increasingly savvy about the need to trust the sites they are visiting.
They may not know the explicit details of the threats they face when dealing with malicious or
compromised websites, but they are aware that there are ways to establish trustworthiness, including:
Padlock icon: The most common sign that a site is more trustworthy than others coincides
with the use of https rather than http as the prefix to the pages web address and a
padlock icon.
Green address bar: More recently, users have become aware that the highlighting of part of
the address bar denotes even greater security.

How to Choose A Certificate Authority For Safer Web Security 3

Behind the scenes, the https is an indicator that the page is being viewed using a secure connection
to the site owners servers. HTTP Secure (HTTPS) combines the standard HTTP protocol with the
Secure Sockets Layer (SSL) protocol, and its use shows that the sites servers have been authenticated
using an SSL certificate. HTTPS also shows that the data shared between people and the site will be
encrypted during transit, to protect it from being seen or intercepted by eavesdroppers.
The coloring of the first piece of the address bar shows that the sites owner has gone a step further
and offered themselves up for extensive organization vetting and authentication procedures, to
prove the organization behind the site is who they say they are. By doing so, they will have gained an
Extended Validation (EV) SSL certificate that the browser can recognize, leading to the special green
coloring and the display of more information than usual about the sites operator and the CA who
authenticated the site.

The green address bar shows the name of the business verified to use this website address and means that this
web page is secure.

How to Choose A Certificate Authority For Safer Web Security 4

What Is A CA And What Are the Different types of SSL Certificates?

The Certificate Authority (CA) is an organization that issues SSL and EV SSL certificates. You can tell
which CA issued a certificate by clicking the padlock next to the sites URL or in the case of sites with
Extended Validation SSL, the name of CA may be displayed in the address bar.

The user can always tell which CA issued a certificate by clicking on the padlock next to the sites URL.

Different types of SSL certificates offer different levels of site authentication:

Entry-level Domain Validated SSL certificates. These SSL certificates only confirm that
the person requesting the certificate is responsible for the domain being secure with the
certificate. It does not validate the legitimacy of the entity itself. To issue a domain validated
certificate a CA sends an email to an address associated with the administrator of the site.
The administrator uses a link or authentication token in the email to validate their domain
and their request for a certificate, and the SSL certificate is issued. However, this leaves little
guarantee that the applicant is a valid business entity.
Organization Authenticated SSL certificates. These SSL certificates validate the business
entity that stands behind the website. Organization Authenticated SSL certificates will only
be issued once the CA has verified the organizations validity and ownership, and that the
applicant is authorized by the organization to request the certificate. Some browsers display
a blue color in addition to the HTTPS for these types of certificates.
Extended Validation (EV) certificates. This is the most visibly trustworthy form of SSL
certificate. Extended Validation certificates require the strongest level of organization identity
vetting. Only CAs who have passed independent audits are allowed to issue these types of
certificates. This certificate also triggers the highly recognized green color and the additional
security information in the browser address bar.

How to Choose A Certificate Authority For Safer Web Security 5

How CAs Have Come Under Attack

In recent years, several cases of CAs intermediaries infrastructure was not up to the task, leading
to problems for their partners and, above all, for their customers. In one notorious incident, the CA
itself was completely compromised, causing major browsers to revoke that CAs roots to render all
certificates issued by that CA invalid and ultimately causing that CA to go out of business.
When you choose your CA, you should look for a company that follows a holistic security approach
that encompasses physical, logical, network and personnel security. In addition, you should look for
a CA that takes the customer and site authentication process very seriously. If the authentication
process is too easy, it doesnt provide much in the way of identity validation assurance.
A CAs top business priorities should be:
The continual hardening of the infrastructure that protects the cryptographic keys and
system for issuing certificates
Securing a rigorous authentication process that validates the identity of the certificate
requester
As we have seen in the past, insufficient CA security was to blame for allowing fraudulent certificates
to be issued. In such cases, even genuine certificates had to be treated with suspicion, and in one case
this caused an entire CA to shut down.
Although price certainly plays a role in the purchasing process, as the multiple recent CA breaches
have reminded us, price should be but one of many factors in selecting a CA.
Several CAs have had to suspend issuing certificates because their systems were actually breached,
or they were unable to confirm or deny claims of a successful attack. Similarly, a CAs certificates could
be blacklisted by browser providers if the company does not offer strong enough encryption in its
products. When evaluating a CA, its worth considering the vendors history of trust and security.

What Measures Can a CA take to Promote trust In Its Certificates?

Without rigorous and diligent upkeep of their security infrastructure, CAs put their customers and
the web consumer community at risk. As recent attacks have demonstrated, a CA must keep its
cryptographic keys secure. Doing so is an increasingly difficult task, and the ability of a CA to maintain
absolute security is the most critical factor when choosing where to source your SSL certificates.
Customers should only use a CA that has a strong track record of trustworthiness and employs
measures including:
Facilities that have been designed to withstand attacks
Hardware monitoring and strong network security
Biometrics-based security for the facilities, along with dual-access control for key systems
Hardware-based systems for cryptographically signing certificates

How to Choose A Certificate Authority For Safer Web Security 6

 Ensuring dual control for the issuing of all certificates with the vendors name on them
Employing best practices for authenticating domain ownership
Regular independent audits

GeoTrusts Commitment to Security

GeoTrusts core business is information security and we take the security of our own infrastructure
very seriously. GeoTrust has invested in and built the most robust and scalable certificate
authentication, issuance, management and hierarchy infrastructure in the industry. We believe that
the security strength of our operations is an important part of the value our customers get when they
buy their certificates from us. We are diligent about monitoring our networks and continuously work
to ensure that our infrastructure remains the gold standard.
The Gold Standard In Physical And network Security
Persons fulfilling trusted roles must pass a comprehensive background check. We have a process
in place to ensure employees undergo background checks at least every 5 years. We maintain and
enforce control procedures to ensure the segregation of duties based on job responsibility and to
ensure that multiple trusted persons are required to perform sensitive tasks.
The physical construction of our Operations Center is comparable to Government grade protection
of military and intelligence services communications. Our operations use a tiered approach to our
physical environment comprised of 5 or more tiers with increasing levels of security. Individuals
are granted selective access to tiers on only a need to know basis. The highest tiers require 2 or
more authorized people to enter or remain. Use of video monitoring is employed throughout our
Operations Center.
We use a layered approach to our security architecture
Layer 1: The Outside Firewall

The Front-End (DMZ) behind the outside firewall

Location of Web and outside mail servers

Layer 2: The Inside Firewall

The Back-End behind the inside firewall

Location of the sensitive signing servers and certificate databases

This architecture provides defense in depth, as an intruder must pass through or compromise 2
separate firewalls to reach the back-end.
Every firewall logs events to disk
Log files are reviewed daily
Log files are retained for future forensic analysis
Firewall logs are regularly reviewed for any unusual events

How to Choose A Certificate Authority For Safer Web Security 7

We actively monitor our systems for any signs of intrusion on a 24x7x365 basis. Every component of
our infrastructure is monitored for security compromises or attempted security compromises. In the
event of a detected compromise, our monitoring system is able to notify the appropriate personnel
for action. Notification is by multiple methods, such as e-mail alert, pager alert, and
console monitoring.
Logs are generated for:
Routers, firewalls and network machines
Database activities and events
Transactions
Operating systems
Access Control Systems
Mail servers
Logs are archived and retained in a secure location for a minimum of 12 months.
We also log the following significant events:
CA key life cycle management events, including:

Key generation, backup, storage, recovery, archival, and destruction

Cryptographic device life cycle management events

CA and Subscriber certificate life cycle management events, including:

Certificate Applications, renewal, rekey, and revocation

Successful or unsuccessful processing of requests

Generation and issuance of Certificates and CRLs

Security-related events including:

Successful and unsuccessful PKI system access attempts

PKI and security system actions performed by the CA personnel

Security sensitive files or records read, written or deleted

Security profile changes

System crashes, hardware failures and other anomalies

Firewall and router activity

CA facility visitor entry/exit

To ensure constant vigilance of security in the environment we constantly perform assessments. Daily
vulnerability scans and audits are performed to ensure that adequate security measures are in place.
The vulnerability scans are performed by trained individuals who understand the impact as well as
assess the results. These scans are performed both internal and external to the network. Any findings
of sufficient security vulnerability are remediated within 24 hours.
White Hat Reality Check

How to Choose A Certificate Authority For Safer Web Security 8

We also regularly perform penetration tests - a series of exercises performed from outside the system
to determine if there are any exploitable openings or vulnerabilities in the network. In particular, it
uses the known techniques and attacks of hackers to verify that the network is safe from unauthorized
penetration. We employ an independent third party to conduct penetration tests on our network.
The threat landscape is rapidly evolving as CAs come under increasing pressure from external attacks.
Now, more than ever, it is critical to partner with a CA vendor who has network infrastructure security
measures in place to defend itself, and your data from emerging cyber-threats.

What Does the Future Hold?

Criminals and state-sponsored hackers have figured out what website owners also need to realize:
not all CAs are equal. Some CAs are more vulnerable than others, and it is becoming increasingly
worthwhile for hackers to exploit that vulnerability.
As cloud applications start to take over from traditional desktop programs, the mass of data that
needs to be kept secure keeps growing and including new types of critical information. Your
customers trust is paramount, but a bad choice of CA could see your business risk the exposure of not
only your customers, but also your own internal data, from mail and documents to spreadsheets and
unified communications.
Recent attacks have also revealed that hackers use a variety of means, big and small, to try to
penetrate CAs systems. CAs must keep evolving to ensure they are ahead of the game, for their own
sake as well as that of their clients.
The CA you choose has to have an infrastructure that is up to the task, along with the means to act
both proactively and reactively to any threat. Their security has to be extensive and varied. They have
to have their eye on every link in the chain. The stakes are too high to settle for less.

How to Choose A Certificate Authority For Safer Web Security 9

More Information
Visit our website
http://www.geotrust.com/ssl
To speak with a Product Specialist in the U.S.
Toll Free +1-866-511-4141 Tel +1-650-426-5010 Fax +1-650-237-8871
To speak with a Product Specialist outside the U.S.
Australia and New Zealand +61 3 9914 5661
Japan - TEL : 03-5114-4776
UK - +44 203 0240907
DE - +44 203 0240907
FR - +44 203 0240907
ES - +44 203 0240907
About GeoTrust
Speed. Reliability. Trust. All of GeoTrusts resources from authentication to customer support are
devoted to making it fast and easy to deploy the best SSL security possible. Thats why GeoTrust is one
of the worlds most trusted providers of SSL security solutions protecting more than a half million
websites for more than 100,000 companies globally. With GeoTrust, maximum SSL security is as easy
as Buy it. Install it. And move on to other tasks.
www.GeoTrust.com
CORPORATE HEADQUARTERS

EMEA SALES OFFICE

APAC SALES OFFICE

GeoTrust, Inc.
350 Ellis Street, Bldg. J
Mountain View, CA 94043-2202, USA
Toll Free +1-866-511-4141
Tel +1-650-426-5010
Fax +1-650-237-8871
enterprisesales@geotrust.com

GeoTrust, Inc.
8th Floor Aldwych House
71-91 Aldwych
London, WC2B 4HN, United Kingdom
Tel +44.203.0240907
Fax +44.203.0240958
sales@geotrust.co.uk

GeoTrust, Inc.
134 Moray Street
South Melbourne VIC 3205
Australia
sales@geotrustaustralia.com

2013 GeoTrust, Inc. All rights reserved. GeoTrust, the GeoTrust logo, the GeoTrust design, and other trademarks, service marks, and designs are
registered or unregistered trademarks of GeoTrust, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are
the property of their respective owners.
UID: XXX/11/13

How to Choose A Certificate Authority For Safer Web Security 10