Which SSL Certificate is Better and How to Choose Them
On July 20, Google announced that the Chrome browser no longer trusted SSL certificates issued by the certification authority (CA) WoSign and its subsidiary StartCom. As explained in the company, the solution is associated with a number of incidents that do not meet the high standards of CA, in particular, issuing certificates without authorization from the IT giant.
- Earlier this year it also became known that organizations responsible for issuing certificates will have to start taking into account special DNS records. These records will allow domain owners to define a “circle of persons” that will be allowed to issue SSL/TLS certificates for their domain.
- All these decisions are to a certain extent related to the increase in the number of hacker attacks and phishing sites. Encrypted connections to websites on HTTPS are becoming more widespread on the Internet. Certificates not only allow you to encrypt data sent between the browser and the web server but also to certify the organization that owns the site. In today’s material, we will look at what types of certificates are available and touch upon the issues of their receipt.
All SSL certificates use the same methods of data protection. For authentication, asymmetric encryption algorithms are used (open-private key pair), and symmetric (private key) for confidentiality preservation. However, they differ in the verification method: any certificate must be verified by the certification authority in order to make sure that it belongs to the correct and authorized site. There are several types of certificates.
The first type is certificates with domain verification (Domain Validated). They are suitable for non-commercial sites, since only the serving Web site that is transitioned to confirms.
- The DV certificate does not contain identifying information in the field of the organization name. Usually, the value “Persona Not Validated” or “Unknown” is listed there.
- To verify the identity of the certificate requesting authority, the CA sends a letter to the email address associated with the domain name (for example, firstname.lastname@example.org). This is done to make sure that the person who requested the certificate is indeed the owner of the domain name. Google does not need to prove to the public that www.google.com belongs to it, so it can easily use simple certificates with domain verification (however, the IT giant still uses OV certificates, which are next).
- Other verification options include adding a TXT record to the DNS or placing a special file on the server that can be read by the CA. This type of certificate is the cheapest and most popular, but it is not considered completely secure since it contains information only about the registered domain name. Therefore, they are often used for protection on internal networks or on small websites.
The second type of certificate is called Organization Validated, or certificates with organization verification. They are more reliable than DV because they additionally confirm the registration data of the company owning the online resource. All necessary information is provided by the company when buying the certificate, and CA is then directly contacted with the representatives of the organization to confirm it.
The third type is Extended Validation, or a certificate with extended validation, which is considered the most reliable. It first appeared in 2007 and needs websites that conduct financial transactions with a high level of confidentiality. In this case, the whole address bar of the browser will be highlighted in green (that’s why they are called “with a green line”). Plus in the green area will be the name of the company.
About how different browsers inform users about the availability of a certificate can be read here.
Note that if the user is redirected to a third-party site to perform payments and transaction processing, confirmed by a certificate with extended verification, then, in this case, enough conventional OV certificates will suffice.
- EV certificates are useful if you need to “tightly” associate a domain with a physical organization.
For example, Bank of America and the domain bankofamerica.com. In this case, the certificate with the organization check ensures that the resource really belongs to the bank, where the user can physically deposit their money – this is at least convenient for users.
- Moreover, EV certificates protect against attacks using phishing sites, as was the case with Mountain America Credit Union. Attackers managed to get a legal SSL-certificate for a copy of the site of the credit organization. The fact is that the bank used the domain name macu.com, and the attackers used the name mountain-america.net and when submitting the application “hung out” an innocent looking site. After receiving the certificate, the site was replaced with a phishing resource. EV-certificates seriously complicate the implementation of such a “focus” – at least the address of the culprit is immediately known.
- Issuing certificates such as OV or EV, the certification center should make sure that the company receiving the certificate does exist, is officially registered, has an office, and all specified contacts are workers. The evaluation of the organization begins with the verification of its official state registration.
- After receiving the application for the certificate, CA sends the forms with questions about the organization that needs to be filled and signed. Their signatures and stamps are put by the head of the company and the chief accountant. After that, the scanned documents are sent back to the certification center, where they are checked by the EGRUL and TIN ID numbers.
If the submitted data fully satisfy the employees of the certification center, a certificate is issued. If you need to legalize documents, you will have to send scanned images of the requested documents by e-mail to the certification authority.
- It is preliminary to clarify whether translation of these documents is required and notarization of the translation, and also whether the notary certification is required by an apostille. Instead of the apostille to confirm the powers of the notary, you can inform the certification center. And translation, and notary services, and apostille will require some additional costs and organizational efforts, so before confirming the need for these actions, the certification center should not be engaged in them.
- CAs may issue EV certificates to government agencies, but the latter must satisfy a number of requirements. First, the existence of the organization must be confirmed by the administrative-territorial formation in which it operates. Secondly, the organization should not be located in a country where the CA issuing the certificate is prohibited. Also, the state structure itself should not be represented in any of the lists of prohibited organizations.
- At the same time, we note that there are also international agencies that can check the official documents of the company and act as a certifier of its legitimate existence. The most famous of these agencies is Dun & Bradstreet. After checking the organization D & B produces a digital identifier – DUNS (Digital Universal Numbering System) – which can be referenced to confirm the legality of the organization.
Execution of an SSL certificate such as OV or EV will require some organization from the organization wishing to receive it. However, the result of all the efforts expended will be increasing the reputation and the level of customer confidence in the organization on the Internet.
Chain of Certificates
In general, one certificate is enough to encrypt the data sent between the web server and the user’s browser. However, if you look at the way of certification of the resource google.com, you can see that there are as many as three of them.
- When visiting many sites, for example, banks or railway ticket offices, users want to be sure not only that the connection is protected, but also that the opened site is the right one. To certify this fact, one certificate is not enough. It is necessary for the third party (CA) to confirm that a certificate issued for this site is used to protect the connection.
- If someone “B” has certified the identity of “A”, and you trust “B”, then the problem is solved.
- If you do not know “B”, then he can report that he knows “V”.
- The length of the identity chain is unlimited. The main thing is that it turns out to be the one to whom the user trusts. Moreover, historically and technologically, a number of certification centers have received the greatest recognition in the IT field. Therefore, it was decided to call their cryptographic certificates root and always trust such signatures.
- The list of root certification centers and their public keys are stored on the user’s computer. If a chain of successively signed certificates completes the root certificate, all certificates included in this chain are considered to be confirmed.
Other Types of Certificates
- Finally, we would like to say that in addition to the graduation certificates – DV, OV, EV – there are other types of certificates.
- For example, certificates may differ in the number of domains to which they are issued. Single-certificate certificates (Single Certificate) are tied to one domain specified at purchase. Multi-domain certificates (such as Subject Alternative Name, Unified Communications Certificate, Multi Domain Certificate) will be effective for a larger number of domain names and servers, but each name included in the list above the indicated number will have to be paid separately.
- There are also subdomain certificates (such as WildCard) that cover all subdomains of the domain name specified during registration. Sometimes certificates may be required, which will simultaneously include several subdomains in addition to domains. In such cases, it is necessary to purchase certificates such as Comodo PositiveSSL Multi-Domain Wildcard and Comodo Multi-Domain Wildcard SSL. Note that in this case, you can also purchase an ordinary multi-domain certificate, in which you simply specify the required subdomains.
- You can get an SSL certificate yourself: a pair of keys for this is obtained from any generator, for example, a free OpenSSL. Such secure communication channels can be easily used for internal company needs: for exchange between network devices or applications. However, for use on an external website, you must purchase an official certificate. In this case, browsers will not show messages about an insecure connection but will be calm for the data being sent.