IT professionals are expected to know everything technical, which creates a very high bar, and mistakes can be costly. Increasingly, corporate IT is asked to be more involved with website security which contains its own unique series of challenges and buzzwords. One crucially important area is Secure Sockets Layer (SSL) digital certificates, which authenticate websites’ identities and enable encrypted connections. The SSL security protocol generates an encrypted link between Domain Name System (DNS) web servers and web browsers. If organizations do not manage SSL certificates properly, online transactions and internal and customer information are not encrypted.
IT’s Role with SSLs
Organizations vary as to who buys and manages SSL certificates for websites, and this variation can lead to confusion and mistakes. IT often requests the SSLs, but the person ordering the SSL may be from procurement, marketing/brand management, legal or IT. Ideally, SSLs are managed through one centralized group within the organization, rather than various IT professionals ordering certificates ad hoc which can lead to security risks. Using a ticketing system or documented internal process can ensure that SSL certificates are requested and purchased in an organized way.
IT is often involved with tracking SSL expiration notices to prevent lapses in certificate coverage. Organizations should set up a central distribution email address where all expiration notices are sent to, and this email address should be continuously monitored even as individual team members go on vacation, get promoted, or leave the company.
How SSLs Encrypt Data and Build Trust
SSL certificates accomplish two mechanisms. First, they encrypt any text that is typed so third parties cannot access content in plain text format once it is sent. Second, SSLs provide trust. Having that SSL lock icon in the browser shows that encryption is provided on the website. As long as the lock icon is there, the site is known to be safe. Without an SSL and lock icon on the website, users are sending their raw text out into the ether to be intercepted by anyone.
IT professionals in charge of security for any consumer-facing website should consider having an SSL certificate, even if there is no place for users to type content. Even if there's no encryption required, the company will want to look more professional and show consumers that they are trustworthy.
Rules and Regulations for SSLs
The Certificate Authorities and Browsers (CA/Browser or CAB) Forum determines the rules for SSLs. Organized in 2005, the CAB Forum is not a government agency. Instead, it is a voluntary group of global and regional certification authorities (CAs), vendors of internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL, Transport Layer Security (TLS), code signing, and Secure/Multipurpose Internet Mail Extensions (S/MIME).
Many CAB Forum regulations and requirements originate from Google and its Chrome browser, which dominate the browser world and have tremendous clout. Google is pushing innovation and wants to instill additional safeguards such as SSL certificates being valid for an increasingly shorter period of time. Therefore, if hackers are trying to crack a certificate’s encryption, they have less time to attempt it. At present, a certificate's maximum validity time is 396 days, but Google wants to lower that to fewer days to thwart bad actors.
SSL Encryption and Validation
SSLs have several types of encryptions. The three different types of certificate validations include:
- Domain Vetted (DV) – basic level encryption, suitable to protect internal communications through intranet/portal and VPN.
- Organization Vetted (OV) – moderate level encryption, appropriate for eCommerce sites.
- Extended Validation (EV) – highest level encryption, suitable for a bank or finance-related company. Certificate authorities are held to a high standard by the CAB Forum and may lose their certificates if they violate rules or fail to meet minimum requirements.
Upholding The “Handshake of Trust”
The “handshake of trust” refers to the authentication that the server responding has been assigned by the certificate holder. This handshake starts from the root server that connects to the CAB Forum, then goes all the way to the organization’s server that houses the website. The handshake of trust works as follows:
- The browser or server tries to connect to a website’s web server secured with an SSL certificate
- Next, the browser/server asks the web server to identify itself
- The web server identifies itself by sending the browser/server its SSL certificate
- Finally, the browser/server verifies whether it trusts the SSL certificate
There is a private key to this “handshake of trust” connection, which is kept on the company’s server. This private key should never be shared via email; it should only be stored on the server serving up the site. That’s how the consumer knows the website is secure because all the necessary parts connect and there are intermediate certificates that connect to the root server. IT may be put in charge of the certificates, which can include ordering, installing, managing intermediate certificates connecting a site to the “handshake of trust”, as well as managing the expiry and replacement of each certificate.
In this dynamic era, SSL certificates are frequently changing and connections can be broken. The CAs are in the middle, and the path leads all the way to the CAB Forum where those root servers connect with the browsers. Ensure that the SSL certificate connects at the proper points so the consumer's experience is secure.
Enlisting Help from Registrars
Registrars can provide tools and resources to help corporate IT and other departments with SSL offerings and domain registrations. For example, a company’s assigned Client Success Manager at the registrar can help validate SSLs and track down and solve related problems. IT professionals getting their feet wet in the domain/SSL arena can benefit from a registrar’s resources for requesting, ordering and managing SSLs.
Software products provided by registrars or independent tech suppliers can also help organizations to purchase, track and manage SSL certificates effectively. It’s extremely helpful to view all data points about the domain portfolio in one central interface, and to ensure that deadlines don’t get missed and sites don’t go unprotected due to expirations or security issues.
Conclusion
Many organizations are already requiring their IT professionals to become well-versed in website SSLs, with others poised to follow suit. Understanding SSL certifications is a critically important part of security management and risk mitigation, plus it has implications for legal, marketing and branding. With so much at stake, SSL certifications should be considered for integration into IT’s proverbial wheelhouse.