In a report that stunned a lot of people in March, 2011, Comodo, a well-regarded Certification Authority announced that they had issued nine fraudulent digital certificates. The certificates were signed without sufficient validation and although they have been revoked and are listed in Comodo’s Certificate Revocation List (CRL), they could be used to spoof content, engage in phishing attacks, or set up man-in-the-middle attacks.
The certificates were for important web addresses, including log-ins of trusted and broadly used companies. They are:
- “Global Trustee”
- Google.com—mail.google.com and www.google.com
- Live.com— login.live.com
- Mozilla.org—addons.mozilla.org
- Skype.com—login.skype.com
- Yahoo.com—login.yahoo.com (three certificates)
Browsers have issued updates to protect customers and block the use of these certificates, nevertheless, this incident highlights the critical nature of the validation checking that Certification Authorities carry out and points to several qualities that one should seek in an SSL Certificate provider.
Choosing an SSL Certificate Provider
Reputation
Of course you’re going to think about cost when you’re considering SSL Certificate providers, but there are other factors that loom large for the success of your business. The SSL certificate provider you choose not only provides your certificate but also their brand on your site is a signal to your customers of the care you are taking with their personal data, one of the factors that may influence their choice to trust you with their credit card information . . . or not. Right now, although Comodo is typically listed among the top ten Certificate Authorities, a Comodo certificate has probably fallen in value in the eyes of customers. Reputation is part of what you’re purchasing with an SSL Certificate.
Certificate Authorities that are consistently listed among the top names for trust include:
- GeoTrust
- GoDaddy
- Network Solutions
- Thawte
- VeriSign
GeoTrust and RapidSSL, their reseller, turn up on some lists, but—at one time—Opera browsers did not recognize their certificate, and that’s not something you need to deal with. Although this is no longer true, the articles mentioning it are still floating around cyberspace, so here’s a tip: if you want to check SSL Certificate compatibility for a particular Certification Authority, you will probably find a page on their website that provides a full list of system compatibility. GeoTrust’s is here: http://www.geotrust.com/support/system-compatibility/ and you can see that they are compatible with Opera as well as Internet Explorer, Netscape, Mozilla Firefox, AOL, and Safari, as well as some less mainstream web browsers and a range of micro browsers.
InstantSSL is another name under which Comodo runs its SSL Certificate business. Of the listed CA’s, VeriSign is the oldest, Thawte is the second oldest, and VeriSign and Thawte are probably the most well-recognized and possibly have the highest degree of trust.
But . . .
Types
VeriSign and Thawte are characteristically not the cheapest. But you shouldn’t look at reputation and other factors without also considering the levels and types of SSL Certificate the providers offer. SSL Certificates are classified in similar ways to web hosting as free SSL certificates, shared certificates and dedicated certificates. Free certificates are either provided as part of a hosting package with no charge or to applicants who meet certain qualifications.
Shared SSL Certificates may not be as secure as dedicated SSL Certificates. If you use a Shared Certificate, make sure that the capability to move to a private/dedicated certificate without problem is available. Shared certificates may be “wild card” Certificates for which each covered website must operate on a subdomain of the web host providing the certificate. Standard certificates that are shared, it is possible for each user to have a defined directory path through which to upload secured page.
Dedicated SSL Certificates are characteristically provided free of charge with dedicated hosting and is connected to the customer’s domain name, not the web host’s domain name, as it is in Shared Certificates.
Validation
The other aspect of SSL Certificates to consider is the type of validation, and not all Certificate Authorities provide the same level of validation at the same cost. There are three levels of validation:
- In Domain Validation, the Certification Authority matches the applicant’s information to the WHOIS database.
- In Organizational Validation, the physical and web address of the business applying for the SSL Certificate are both checked for accuracy by the Certification Authority.
- In Extended Validation, the Certification Authority provides an even more rigorous check of the applicant, and—if the business passes the validation—provides the business with the right to display the green color-coded address bar as a sign of its security.
Sources
http://www.microsoft.com/technet/security/advisory/2524375.mspx
http://www.networksolutions.com/education/choosing-an-ssl-certificate-for-website-security/
http://www.globalsign.com/ssl-information-center/what-are-the-types-of-ssl-certificate.html