Choosing your ssl certificate V01

  • 331 views
Uploaded on

Tips to help you make the right choice concerning your SSL Certificates.

Tips to help you make the right choice concerning your SSL Certificates.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
331
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SSL Europa - 8 chemin des escargots - 18200 Orval - France T: +33 (0)9 88 99 54 09 Expert opinion How to choose your SSL certificate ? Date : 03/13/2014
  • 2. Summary 1) What does the SSL certificate?........................................................................................................ 3 Certification Authority......................................................................................................................... 3 2) Use and implementation................................................................................................................. 4 3) The different types of certificates................................................................................................... 5 Types of validation .............................................................................................................................. 5 RGS* certificates.................................................................................................................................. 5 « Wildcard » certificates and SAN....................................................................................................... 5 SSL Unified Communication certificates ............................................................................................. 6 The period of validity........................................................................................................................... 6 Key sizes .............................................................................................................................................. 6 The multi-domain certificates ............................................................................................................. 6 Self-signed certificates ........................................................................................................................ 6 4) How to choose his SSL certificate?.................................................................................................. 6 Dynamic seal........................................................................................................................................ 7 5) How is it created? (for experts)....................................................................................................... 7 Asymmetric cryptography................................................................................................................... 7 Website authentication....................................................................................................................... 8 Encryption of data exchanges ............................................................................................................. 8 6) To conclude ..................................................................................................................................... 9
  • 3. 1) What does the SSL certificate? When you access to a website, data are not protected and can be intercepted. For exchanges between the web browser and website encrypted, the standard used by the web browsers editors and web servers is the Secure Socket Layer (SSL) also called Transport Layer Security (TLS). By installing a SSL electronic certificate on the web server makes you go HTTP to HTTPS, the secure version, and the exchanges are encrypted. A padlock appears on the browser or the address bar and it becomes https://www.siteweb.fr . Be careful, a padlock displayed on a webpage has no value. So, if you are asked for confidential information or even a Login/Password on a website, it is recommended to leave your information on a websites using a SSL certificate. If you own a website, make sure the version https://www.siteweb.fr does not have invalid certificate as it is often the case. Certification Authority The electronic certificate also ensures that the owner of the domain name is identified. If you click on the padlock you can see the Certification Authority that issued the certificate and information about the certificate owner. Certification Authorities (CA) signed a contract with the publishers of Internet browsers and agree to follow strict verification procedures before issuing a SSL certificate. This Certification Authority is audited every year. The web browser trusts the Certification Authority that issued after the required checks SSL electronic certificate to organizations for domain names as www.organisation.fr. CA is the trusted third party.
  • 4. The Certification Authorities are gathered in the Certification Authorities (CA) and Browser Forum or CAB Forums https://www.cabforum.org/forum.html 2) Use and implementation SSL certificates can be used for web servers, but also to encrypt VPN or electronic messaging. To obtain a SSL certificate, you must first create the private key and the public key on the server. For this you can use commands such as OpenSSL or the graphic interface of the server. Then you install the private key on the server and send the public key at the Certification Authority you have chosen. This Certification Authority will do the usual checks, which may include a KBis, a call via the directory to the person who is registered on the KBis, depending on the type of certificate. Checks may take several days also, it is necessary to do it in advance. Third party Web site identification Encryted Certificate request You on the web
  • 5. 3) The different types of certificates There are several types of certificates based on the level of verification carried out by the Certification Authority (CA), the validity. Types of validation The Domain Validated (DV) certificates for which the CA checks the domain name belongs to its owner. It is the lowest level of security. It may be used for an Intranet for example and it’s delivered very quickly. The Organization Validated (OV) certificates for which the CA checks the existence of the organization that owns the domain name. It is the most used now and it may be used for a non- commercial website. The Extended Validation (EV) certificates for which the CA check the physical, legal and operational existence of the organization. It is the highest level of security and is more and more used. It has the advantage of displaying a green bar in the browser to reassure customers. The e-commerce websites use these certificates. RGS* certificates The French Government established a standard named Référentiel Général de Sécurité and defined validation processes for SSL certificates for public French organizations. They are certificates to use for public organizations. They are close to EV certificates. « Wildcard » certificates and SAN Certificates are valid for one or several domain names/subdomains as www.entreprise.fr, extranet.entreprise.fr, www.ecommerce.com, for example. It is said that the SSL certificate is valid for a main domain name as www.entreprise.com more than for Subject Alternative Name (SAN) such as extranet.entreprise.fr In some cases, organizations want to have a valid certificate for a domain name such as entreprise.fr and all subdomains such as extranet.entreprise.fr, intranet.entreprise.fr , ecommerce.entreprise.fr , etc. This allows to add subdomains names without having to recreate a new SSL certificate. Wildcard certificates are not the most secure because it is better to nominate the domain names and subdomains for which the certificates are valid. Wildcard certificates are available in OV and DV but not in EV and RGS*.
  • 6. SSL Unified Communication certificates These certificates are identical to the DV, OV and EV. The name, Unified Communication simply means that these certificates are tested for electronic messaging and the associated documents are provided. The period of validity SSL certificates have a period of validity. The domain name may belongs to another person, the organization can evolve, etc. The periods of validity are 1 year, 2 years and 3 years, excepted for EV and RGS* certificates for which the period is limited to 1 year or 2 years. Some suppliers of SSL certificates offer them with an extra-period of 3 years, but these times are rarely requested, for security and costs reasons. Key sizes The key sizes of SSL certificates used to be of 1024 bits. Today, it is possible to defeat with success 1024 bit keys. Keys of SSL certificates are 2048 bits. Some browsers does not validate the keys of 1024 bits anymore. We also recommend you to choose the encryption algorithms of 256 bits or SHA2. The multi-domain certificates Some companies offer cheap SSL certificates or for free, packaged with other offers. You must be careful. They are often multi-domains certificates of different clients, as an ID card for several people. For your security and image, this is a practice to banish. Self-signed certificates The self-signed certificates can be generated by itself by using OpenSSL commands. These certificates are not validated by a CA and are not recognized by the internet browsers that generate an error. Even for an intranet, it is more convenient to use a SSL certificate delivered by a CA. For this last case, a DV certificate is sufficient. 4) How to choose his SSL certificate? Firstly, you must choose the types of SSL certificates you need. The CAs that deliver certificates also provide offers for which the organization and domain names are previously validated, and for which you own a graphic interface allowing you to auto-deliver you certificates included in this list of certificates previously validated.
  • 7. When you buy a SSL certificate, you must choose the types of certificates that you need depending on your needs and contact a SSL certificates dealer. It is very important to have a good service quality to assist you in the key extraction and the installation of the certificates, having advices on the certificates to choose and the audit quality made. The prix fluctuate for a 1-year certificate depending on the type from 100€ to 700€. The annual tariffs are decreasing with years. They are also decreasing depending on the volume of certificates acquired. As for the cloud you may be sensitive to where the CA is and where information on your organization is stored. Choose a CA you trust. The transmission time will be between 1 day and 3 days depending on the type of certificate and this, from the moment you have gathered the necessary documents to verify. Dynamic seal Some CA offer a dynamic seal: “Secure by Keynectis” or “Norton Secure verified by Verisign” for example. When the user click on the logo on your webpage, information relative to the certificate are displayed in a new window in https at the domain name address of Keynectis.com or Verisign.com for example. 5) How is it created? (for experts) Asymmetric cryptography In 1975, Wilfried Diffie and Martin Hellman developed a mathematical algorithm that can be different to encrypt and decrypt a document. There was a key allowing to encrypt and a different one, allowing to decrypt the document. Someway, a key allows to close a locked safe and another one to open it. This technic was named asymmetric cryptography, as opposed to the symmetric cryptography. With symmetric cryptography, it was possible to deduct the decryption process thanks to the encryption method. This is not the case with the asymmetric cryptography. This discovery had a significant impact. The symmetric cryptography included major problems. It was necessary to give the encryption combination with the person who had to make the decryption. It was a different key to communicate with each party confidentially. It required an important list of keys. This technic was not efficient in the digital world. The asymmetric cryptography was the new solution because each person has his private key that nobody else knows and a public key that everybody knows and that can be freely exchanged.
  • 8. If we encrypt a message with the public key, only the person with the corresponding private key can decrypt the message. It is no longer necessary for each person to keep confidential a set of symmetric keys for each partner with whom we want to communicate with an encrypted way Website authentication The SSL certificate of a web server has two keys. A public key and a private key. The public key is communicated to all and the private key is confidential and only kept by the web server for a domain name. The web browser uses the encryption public key to encode a random message. Only the web server can decrypt and send back this message because it is the only one to get the decryption private key. The web browser can clearly identify the website. Encryption of data exchanges The web browser and the web server negotiate the highest encryption level they can support both. The web browser sends a confidential symmetric encryption key by using to encrypt it the asymmetric public key of the web server. Only the web server can decrypt this symmetric session key. The web browser and the web server can communicate on an encrypted and confidential way by using a session key. 6) To conclude Sending a hazard Negociation of the encryption algorithm Sending the encryption session key Negociation of the encryption algorithm Decryption of the session key with the private key Sending the certificate and the signed hazard Generating an encryption key Encryption of the session key with the server public key Verification of the SSL certificate and the signature. The secret session key is shared
  • 9. 6) To conclude There are many types of certificates. The suppliers can help you in your choice and the installation. The number of certificates used on the internet reached, according to Netcraft, 2 885 224 valid certificates in Febuary 2014 with an average growth of 12 000 monthly. This trends is accelerating and the SSL has become an essential technology to protect its websites. SSL Europa 8 chemin des Escargots - 18200 Orval France www.ssl-europa.com