In order for HTTPS traffic to be secure, we need to know that the Web site we are visiting is the one we think it is. Michael Kassner explains a new standard that will help all of us gain confidence in that regard.
In two previous articles "SSL/TLS Certificates: What You Need to Know" and "SSL/TLS Certificates: Perspectives Helps Authentication," I explained SSL/TLS certificates, why they are important to Internet users, and finally the inherent weaknesses of SSL/TLS certificates. Having spread enough gloom and doom, I'd now like to discuss what many consider the real answer to the privacy and security concerns associated with SSL/TLS.Existing SSL/TLS certificates
To recap, there are trusted (signed by a certificate authority (CA) and pre-installed on Web browsers) and untrusted (self-signed by Web site and not pre-installed on Web browsers) certificates. The difference being that untrusted certificates require the Internet user to make a decision on whether it's authentic or not, and that can be a problem.
There's also a problem with trusted SSL/TLS certificates. The signing CAs aren't required to use any specific process to authenticate entities that are asking the CAs to sign their SSL/TLS certificates. There are some, like VeriSign or Entrust, that try to be diligent, but it's not required. Therefore, even malicious entities can get a trusted signing CA to sign a SSL/TLS certificate.CA/Browser Forum
The signing CAs and Web browser developers decided something needed to be done, as Internet users need assurance that their on-line transactions are indeed private and secure. The result of this concern was the formation of a voluntary organization called Certification Authority Browser Forum (CA/Browser Forum).
Almost immediately, the forum members realized that they, the signing CAs, needed accountability. Therefore, the forum came up with the following requirements. Before a signing CA can join the forum, the CA must have a current and successful WebTrust for CAs audit, ETSI 102042 audit, or ETSI 101456 audit prepared by a qualified third-party source. After passing the audit, the forum allows the signing CA to become a member of the forum and place a seal of assurance on its Web site similar to the one shown below:
This guarantees that the signing CA is abiding by the forum's requirements. In what I consider a good move, the forum also insists the auditing is ongoing and occurs every six months. I feel it is important to point out this internal process because it's the starting point of a traceable "chain of trust." Let's move on to what the forum is trying to accomplish. The forum's two main goals are:
- To provide increased security for on-line transactions.
- Come up with an obvious method of displaying the increased security (unlike the existing small lock) on every Web browser.
With that in mind, the CA/Browser Forum developed the Extended Validation (EV) SSL/TLS Certificate standard. The following is the forum's definition of an EV certificate:
"The Extended Validation (EV) SSL Certificate standard is intended to provide an improved level of authentication of entities that request digital certificates for securing transactions on their Web sites. The next generation of Internet browsers will display EV SSL-secured Web sites in a way that allows visitors to instantly ascertain that a given site is indeed secure and can be trusted. A new vetting format, which all issuing Certification Authorities (CAs) must comply with, ensures a uniform standard for certificate issuance. Consequently, visitors to EV SSL-secured Web sites can trust that the organization that operates the site has undergone and passed the rigorous EV SSL authentication process as defined by the CA/Browser Forum."Thorough vetting
The information in the vetting process (per the CA/Browser Forum) is quite thorough, and some of the required components are listed below:
- The business entity must be a legally recognized entity whose formation included the filing of certain forms with the registration agency in its jurisdiction, the issuance or approval by such registration agency of a charter, certificate, or license, and the verification of the business entity's existence with that registration agency.
- The business entity must have a verifiable physical existence and business presence.
- At least one principal individual associated with the business entity must be identified and validated.
- The identified principal individual must attest to the representations made in the subscriber agreement.
- The business entity and the identified principal individual associated with the business entity must not be located or residing in any country where the CA is prohibited from doing business or where it has no jurisdiction to issue a certificate.
- The business entity and the identified principal individual associated with the business entity must not be listed on any government denial list or prohibited list (e.g., trade embargo) under the laws of the CA's jurisdiction.
One can see that the entity verification process is much more involved now. Heck, what am I saying, there wasn't a process before, so it's a huge improvement. The above requirements and questions also apply to private organizations and government entities.Actual EV certificate
Once an entity supplies the appropriate information and is approved by the signing CA, it receives a signed EV certificate. The requesting entity will then install the EV certificate on its Web server. Thereafter any Internet user requesting the entity's Web site will know that the site has a valid EV certificate, similar to what's shown below:
Internet users will have a greater level of confidence when visiting Web sites displaying the green URL, just from knowing the Web site is authentic and the SSL/TLS connection secure.Final thoughts
EV certificates may not be the "end all" answer, but they sure are an improvement over the other two options (trusted and self-signed). I just wish my bank and other important on-line transaction Web sites would start using EV certificates. Hopefully they will in the near future.