Tag Archives: Public key certificate

How to improve your ecommerce server security & love yourself – Part 3

 

English: A candidate icon for Portal:Computer ...

This series is focused on developing the best possible security for an ecommerce server. We seek to go beyond industry standards such as PCI compliance. Perhaps needless to say, PCI-DSS parameters are extremely stringent and thorough because the credit card companies (Visa, MasterCard, etc.) have developed them. However, the density of these rules disallows a simple, step-by-step action plan. We are looking at basic steps we can take to strengthen security.

Servers must be secure, sure: we all know that. Another form of security must be remembered at all times though: security of the self. When we feel that the centers of our souls are disintegrating into tiny little wisps of nothingness, when we fear that the integrity of our entire lives and structural makeups is separating from us and forming new relationships with outside entities (gradually removing us from Earth), we must take action. Below, we will finalize our comments on that subject as well.

Up to this point we have discussed the following subjects: choice of hosting service, development of a security plan, SSL certificates, website backups, vulnerability scan software, monitoring and updates, selection of payment gateway, and the general issue of balance. Today, we will focus specifically on passwords.
Continue reading How to improve your ecommerce server security & love yourself – Part 3

How to improve your ecommerce server security & love yourself

 

SSL

Server security is one of the first things we should consider when we get ready to go into online business, and it’s a factor of the market that should be regularly reviewed. PCI compliance is one thing, but it’s a little obtuse and complicated when we’re taking initial steps to “harden” (enhance the protections of) the server.

Also we must love ourselves. Sometimes everything looks bright and sunny. Sometimes, it looks blue (that’s not a happy color). Sometimes it looks dreary and gray. When we start seeing colors that make us want to cry, we must grab all of our stuffed animals, line them up in a row, and have them sing the Hallelujah Chorus to us (don’t worry, all stuffed animals know it by heart).

We’ll look at a number of different issues in this series: SSL, perimeter security such as firewalls, passwords, site backups, policies, authorizations, etc.. Our general overview will cover the first two parts, and then the final part will focus specifically on passwords – the simplest form of protection but also the simplest, in some ways, to penetrate.
Continue reading How to improve your ecommerce server security & love yourself

How to Install the Green Address Bar

With previous articles we explored the certification behind the website to get your website that trusted green web address bar. Whilst some people take some convincing to install this security certification onto their website, I think it actually improves your brand image to see a trusted green address bar.

EV SSL Certificates are Worth their Wait


EV SSL Certificates are Worth their Wait | How to Grow Your Business Online | Scoop.it
From sslprotocolinfo.wordpress.com – Yesterday

Customers are learning the importance of web security and validation in e-Commerce SSL Certificates go beyond encryption technology for businesses that participate in e-commerce…

Juliana Payson‘s insight:

Because of the more stringent requirement, it is impossible to issue these certificates in minutes (as can be done for just a Domain Validation Certificate), but with an EV SSL Certificate a business gets the green address bar. This article goes on to describe how the stringent validation process is put in place, in order to provide the user a guarantee of genuine service and business identity.

How to Choose the Right and Best SSL Certificate Provider – 10 Easy Tips from TheSSLStore™


How to Choose the Right and Best SSL Certificate Provider - 10 Easy Tips from TheSSLStore™ | How to Grow Your Business Online | Scoop.it
From edusslblog.wordpress.com – 1 week ago

With the number of online scams and frauds multiplying day by day, the need for SSL certificates to validate the credibility of a website is on rise. And most of the eBusiness owners are well aware…

Juliana Payson‘s insight:

A quality SSL certificate with the strongest encryption technology to build trust, boost confidence and increase conversions does not come at the cheapest price. As with taking the care to choose your webhost, TheSSLStore go into an indepth checklist of why “Googling” and trusting the relevent search to “best” and “cheap” SSL certificates should always come with further diligence.

 

Install an SSL Certificate on a Domain


Install an SSL Certificate on a Domain | How to Grow Your Business Online | Scoop.it

From docs.cpanel.net

You can use the Install an SSL Certificate on a Domain feature to install a certificate on your domain. Before you can use this feature, you must have a certificate already created or purchased, and an activation key…

Juliana Payson‘s insight:

There are 3 ways to install a certificate on a domain:

  • You can use the Browse Certificates button to retrieve information,
  • You can enter the domain and have the interface fill in the fields automatically,
  • Or you can choose an IP address and have the interface fill in

Here is cPanel’s step by step documentation to help you install your SSL certification through your Web Hosting Management Panel.

– Juliana

A No-Nonsense Guide to EV (“Green Bar”) SSL … Plus Some Jokes

 

Cryptographically secure pseudorandom number g...

I used to work for an SSL certificate company. While I was there, I always had a little difficulty explaining to customers why Extended Validation (EV) SSL and the green address bar that accompanies it might be worth the extra cost. This article attempts to distill the industry standard so we can understand it without the hype. After all, when we seek information online about what EV is and what it entails in terms of security and credibility, most of what we find is sales pitches from SSL companies. This article will represent my best effort to provide no-nonsense information as an alternative.

Now, just so you know our potential bias upfront, at Superb, we do sell SSL certificates. We offer three different types, each from a Symantec subsidiary: RapidSSL, GeoTrust QuickSSL Premium, and GeoTrust True BusinessID with EV. All three types of certificates are tied to the Equifax root certificate. We sell each of them well below the prices set by the vendors, but many of our customers choose the RapidSSL because it’s so inexpensive … and also probably because it’s not quite clear why EV might be a wise choice.

To get our information, I am reviewing the details about SSL certificates presented by the CA/Browser Forum (CA/B Forum), an industry board that originally defined EV and continues to dictate how it is vetted and its basic appearance on the Web. The board includes representatives from all the major CAs (certification authorities) as well as all the major browser companies (including Microsoft, Apple, Google, and Mozilla). Essentially, the forum offers an across-the-board point of connection for the heavy hitters in the Web browser and SSL worlds.

What looking at the CA/B Forum allows us to do is get beyond what even the most trusted companies have to say about EV. Symantec, for instance, performed EV SSL case studies with its high-end certificates, the VeriSign brand, which is now called Norton Secured. These studies are honestly the most convincing I’ve seen because they’re documented in fairly thorough white papers and were conducted (rather than internally) by outside entities, such as The Find.

Along with looking at the CA/B Forum, we will also look at perspectives from the Taxicab Forum. The Taxicab Forum, a group of cab drivers who get together to drink coffee, chain-smoke, and complain about marks, does not have a website and does not understand SSL certificates. However, its mission is similar (sort of) to the CA/B Forum: “to get marks securely and efficiently from point A to point B … or not.” That’s a little wishy-washy, guys.

What is SSL, For Real Though?

First, so we are all on the same page, let’s define exactly what we’re talking about: What is an SSL (secure socket layer) certificate or “cert” (and I’ll also get into why lower-end cert encryption can at times be less than ideal)?  Well, for starters, it creates the lock symbol and converts all pages on which one is active from http to https. The CA/B Forum further describes SSL https://www.cabforum.org/faq.html as “a security protocol that operates between a browser and a Web site … [providing] confidentiality and data integrity by means of cryptographic techniques.”

Primarily, what an SSL certificate is standardly performing, as a piece of technology, is encryption via an accepted, standardized format. SSL certs from legitimate companies all operate on similar algorithms. The other function it serves is third-party vetting and basic site ownership information to create a standardized sense of trust for users of sites. Bear in mind that vetting ranges enormously for the different types of SSL validation – RapidSSL only verifies the domain, for instance, while the GeoTrust EV certificate verifies site ownership as well (and that verification can be extensive – well, that’s the name – as discussed below).

Finally, the integrity of the data is much less likely to be compromised when https is in place. Three ways in which this can happen include:

  1. ISP Tampering – Internet Service Providers are disallowed from changing anything that passes between a user and a site.
  2. DNS Security – Meddling with DNS, such as cache poisoning, becomes less likely if an SSL is in place.
  3. HTTP Security – Hacks to the http cache, such as http response splitting, are also prevented.

It makes sense that the SSL companies and browsers must act in concert. If the algorithm used by a company is determined to need improvement, the browsers will stop accepting it. Issues with algorithms can be a particular problem with the lower-end certificates, if history is any indication.

Mozilla, for instance, started disallowing older RapidSSL certificates on Firefox (showing a security error if they were left in place after a certain date) a couple years ago because it determined there was a security loophole in some of the older certificates. The RapidSSL algorithm had already been upgraded to meet modern security standards; but some outmoded, multiple-year certificates still remained on several thousand sites. RapidSSL notified all of its customers and partners, and the company reissued updated certificates for free – so it wasn’t a huge problem. However, this is a great example of how SSL firms and the browsers must work in tandem to allow for the highest possible standards for https-enabled pages.

Taxicab Forum Comment:

“EV? Uh, that’s an electric vehicle, right? Oh, it’s a certificate. Yeah, you have to always keep your certification posted at all times, or you can get in trouble with the law. Hm? Internet security? Why are you asking me about this? You owe me $38.50. I’ve had the meter running while we’ve been talking.” – Keith Jones, Chaplain, Taxicab Forum

The CA/B Forum & EV Standards

Let’s look now at the primary standards for EV and then at why it might make sense for your organization. EV issuance and implementation protocol was developed by the CA/B forum along with committees from the American Bar Association and the Canadian Institute of Chartered Accountants. EV SSL certificates can only be issued to private associations and companies and to government branches. In other words, these types of certificates are not available for individual or sole proprietor purchase because the organization itself will be vetted via cross-checking of public records; additionally, executive leadership of the business must sign off on issuance and confirm a number of the company’s details.

The Parameters for EV

The parameters through which an EV is validated is different depending on the type of entity that is requesting the certificate. Just to get a basic sense, let’s look at how a business is validated:

  1. The company requesting the EV cert must exist within the records of a registration agency (typically a state government in the case of the United States).
  2. Physical location of the business must be verifiable (in other words, it must have a street address).
  3. Executive leadership at the company must be validated (so in other words, not just the business itself but a real-live human must verify request of the SSL)
  4. The executive must verify details of the request (also referred to as the subscriber agreement).
  5. The business can use a DBA (“doing business as”) name, but only if that DBA is verifiable as a part of the business. ** Note that in my experience, this aspect causes the greatest frustration for companies; because of this, you cannot choose what to call yourself. It’s all about what is verifiable in public records: your official name therein.
  6. Neither the company nor the executive may exist physically (via physical location or residence) in a nation in which the CA cannot legally issue a certificate.
  7. Neither the company nor the individual may be on a list of organizations disapproved by the government where the CA is principally located.

Taxicab Forum Comment:

“Security, yeah I know about security. That’s why I have a mace: not the spray kind of mace, but the kind you swing at people. I use it for the same purposes as they did back in the Middle Ages: to break through armor. You’re safe though, because you’re not wearing armor. I like people. I’m just anti-armor, that’s all.” – Lou-Anne Richardson, VP of Security, Taxicab Forum

Why EV Might Make Sense: Objectives

OK, now let’s discuss objectives. Here is why EV was created by the CA/B members:

  1. Site & User Security – Like all SSL, the EV allows a safer Web experience via use of virtual keys. Encryption scrambles all information in transfer.
  2. Business Validation – Confirmation of the business through private and public channels allows site users to know the physical location and legal existence of the site business and administration.
  3. Fraud Reduction – Fraud can be prevented in several ways via an EV SSL certificate:

– Less likelihood of phishing occurring on enabled sites. Both the extensive validation procedures and presentation of the green address bar make it easier to know that the site is the legitimate one, not an impostor.

– Easier for law enforcement to fight phishing and other types of online fraud (theft or “borrowing” of a website’s identity, essentially) by providing clearer details of what is “real” and “unreal” on the Web.

Taxicab Forum Comment:

“Well, I think I sort of understand what you mean. Green means go, so the green thing is supposed to tell people that it’s safe to proceed on the website. Well, here’s the thing: yellow also means go. In fact, in certain cases, red means go. And every so often, I come across a blinking blue light, and I just blow right through it. One time I drove off the end of a bridge because of that, but I hit the bank on the other side and just kept driving.” – Mike Wright, Assistant to the Ombudsman, Taxicab Forum

Conclusion

It’s obvious with EV SSL certificates that they’re helpful to making a user feel more secure because of the green address bar. It’s a visual cue that even a child can understand. I will also say that the argument of, “No one knows what that is,” which I’ve heard a lot, seems off-base. The whole idea of it is that you don’t need to know what it is necessarily: the green indicator, business name, and name of the issuing CA in the browser makes it abundantly clear that the site is doing business in a responsible way, according to the browser and to the security company (eg, Symantec).

Hopefully, though, this article has gone beyond the basics and been helpful in establishing details that go beyond what you might have already read or heard about EV SSL certificates. Now you can decide for yourself whether or not they are worth the added expense for your business and for the general online security movement. And a huge thanks to Mike, Lou-Anne, and Keith for your expertise and for not hitting me with the mace or driving me into a river. Sorry for the $1.50 tip, Keith.

by Kent Roberts and Richard Norwood

Choosing an SSL Certificate – Types of Validation

 

SSL

Secure Socket Layer (SSL) encryption is a standardized and relatively simple piece of software from a technical standpoint. Typically with SSL, people slap an inexpensive certificate onto a site, partially because the longer forms of validation are annoying and tedious. Also, a web developer does not want to have to involve the client in the process – necessary for the more extensive validation methods.

However, understanding the different levels of validation can be helpful to considering at what point an EV certificates makes sense for a site – where the tradeoff is in terms of increased sales on an ecommerce site, for instance, assuming the green bar indicator is effective.

Certificate authorities also offers the red bar indicator, free of charge for sites with expired certificates.

Domain Validation (DV) SSL

A domain validation (DV) SSL certificate is only validated via an email interaction. The certificate authority (CA) – the brand behind the particular cert (eg Thawte, Comodo, etc.) – sends out a verification email to one of the following addresses:

  • An address at the domain you are securing, such as info@, administrator@, etc.
  • The email address associated with the WHOIS record for the site (for example, longerversionofemailaddressforusewithwhois@thenaughtiestmailboxintheuniverse.xxx).

Domain validation, as its name suggests, only validates that you are the owner of the domain. It does not do any check on the business itself. Because company information is not checked, the certificate does not supply ownership information. DV certificates don’t have any identifying details in the “organization name” field of the certificate. This field usually either has the domain name listed again or says the business has not been identified.

Domain Validation SSL certificates are the cheapest certificate and only provide one of the two types of security: encryption to protect against theft of information in transit, but not confidence in the ownership of the site itself. One of the higher levels of validation ensures you are working with a business and that you know who you are giving your card information to, if you are making a payment, or who is receiving your personal credentials. In other words, DV certs provide encryption, but not trust/assurance or accountability (naming oneself as the entity officially behind the site).

Simple DV certificates do not give you a sense of who is behind the site, just that data won’t be intercepted. A higher quality EV certificate will say in the certificate Russian Mafia Internet Fraud Division, so you are confident you are sending all your sensitive details to the right organization, the people making payments to you on behalf of the Global Mega-Millions Lottery (in which you recently won $6 billion in one cash payment arriving at your door in four days).

The DV certificate is extremely quick – it’s usually automated. However, some members of the Certificate Authority/Browser Forum, or CAB Forum, would like to get rid of this level of validation. (The CAB Forum is worth checking out, by the way, regarding SSL guidelines. It’s the industry group that sets standardized parameters for the browsers and SSL issuers to uphold. They determine what the baseline requirements are for EV and DV, for instance.)

The Internet has always been a battle of speed and security. Getting rid of DV certification would be very simple, if the CAB Forum decided in favor of making the transition. They would just pull the plug on recognizing those certificates. Already, browsers do not recognize self-signed certificates as legitimate (though self-signed certs work fine for in-house purposes where the certs aren’t publicly facing).

It’s noteworthy that hacking that has occurred of various certificate authorities in recent years, with a number of fraudulent certificates issued to high-level sites, has all been via the use of domain validation certificates. Comodo Hacker, for instance, famously used DV cert theft to further a political agenda. He hacked several CAs, causing the collapse of DigiNotar, which was securing Dutch governmental sites.

DV certificates can cost as little as $10 to $50 for a standard cert. Sometimes they are even issued for free for trial testing periods.

Organization Validation (OV) SSL

Organization validation means that the domain is checked but also that the organization is checked to ensure the business is legitimate. The company information is then available in the SSL certificate, so that there is no message that the owner of the site is unidentified. It says, for example, “Unidentified Company Name,” if that is the name of your company (weird name, dude).

OV certificates offer the same level of encryption but a heightened amount of confidence in the business that is receiving the details. Whereas DV certificates, as described above, only give confidence that no one will grab the data while it’s passing between your machine and the site, OV certificates provide more confidence in the site itself. What’s the point of protecting from theft in transit, after all, if the owner of the site is just going to misuse your data anyway?

OV certificates are checked both for the official name of your company (Pete’s Emporium of Candles Shaped Like Pinecones and Acorns) and its location (Room 746, Ritz-Carlton Hotel, Manhattan).

Rather than simply using automated vetting via email, the certificate authority manually checks ownership for each cert. The three basic additional aspects of vetting that are in addition to DV certification are the following:

  1. Is the business real?
  2. Did the business buy the certificate (or have it bought on their behalf)?
  3. Is the person listed as requesting the cert authorized to receive certs on behalf of the business?

With OV and EV certificates, though many people don’t pay attention to ownership details, they have at least been vetted and are available for inspection prior to doing business or otherwise interacting with a website. Note that because the validation process is more stringent with an OV certificate, it can often take a few days to issue them. Again, much of what is popular about DV, by contrast, is their immediate issuance – typically within 10 minutes – though immediate issuance certainly does not agree with the concept of tight security.

OV certificates range in price but typically sell for $50 to $150. Many CAs and resellers don’t offer EV, so OV serves as the low-end option.

Extended Validation (EV) SSL

An extended validation certificate is the top-tier certificate. Extended Validation was the reason that the CAB Forum was organized in the first place. The CAB Forum wanted to find a way to make it more obvious to Internet users when a site could be trusted. Extended Validation, then, is designed so that any non-technical person viewing a browser can get an immediate sense who owns the site and whether it’s secure. The concept of these parameters was to enhance online consumer confidence through a standardized approach that all browsers and SSL companies could agree would work.

The information obtained by the Certificate Authority has to do both with both the Organization and the Organizational Contact. The validation process is more extensive than with the OV certificate. Often EV, because it is so extensive, is incredibly frustrating for customers. Many, however, believe that EV is worth it in increased sales due to the confidence from customers and sense of integrity that it inspires. EV, in other words, is used not just for its encryption but as a marketing tool to promote how much the business cares about those with whom it does business.

Extended Validation does not just show organization information in the certificate (OV). It actually shows it on the browser itself. If you look at IE or Firefox, for example, you’ll see the green address bar. Additionally, the name of the organization will toggle back and forth with the name of the certification authority (keep that in mind when choosing your brand, that you are choosing whether to have Go Daddy or Symantec toggling with your own company name). As another example, on an iPad or iPhone, it will show the name of your company in green with the lock symbol at the top of the screen.

You can sometimes use a DBA in the organization position as well – since it is so prominent, many companies want enhanced control of that language. Keep in mind, though, that parameters are very tight and that ultimately the CA itself cannot make those decisions. The industry board has strict guidelines for all its members.

Additionally, EV certificates are valuable for protection from mirror sites, used in phishing. The reason EV provides protection against phishing is that a site may be able to replicate the content of a webpage, but they will not be able to get the site address bar to turn green and populate the company name.

The idea behind EV is that as they become more prevalent, Internet users get used to checking whether the green bar is there before completing a transaction. EV has not yet become so widespread that it’s unusual for a site not to have one, but we can at least be aware what sites that we use often have EV certificates. If we see the green when we visit, we should see it every time we enter our information. If not, we’re potentially in a dangerous situation.

EV certificates are of particular use for high-profile sites. The types of sites listed by the CAB Forum for which EV is the most important are major finance and retail sites. However, smaller sites may find that they pay off in increased transactions. I think it makes sense that in terms of credibility, EV is much more valuable than it is for a large site. Amazon already has credibility. A small, less widely known site can easily promote its reputability with EV certification by a trusted name in security (Symantec, for example, has household status as a security name due to the Norton Anti-Virus line, so in that sense it can be used as a marketing tool beyond its technical purpose).

These certificates can cost anywhere from $100 to upwards of $1000.

Conclusion

Domain (DV), Organization (OV) and Extended (EV) Validation SSL certificates each offer different levels of security and credibility for your online business. Keep in mind as you decide that encryption is just one piece of SSL. The other piece is letting individuals visiting the site know that you are a legitimate business.

by Kent Roberts and Richard Norwood

SSL Certificate Types & Being an Outstanding 3rd-Grader


Cryptographically secure pseudorandom number g...

What’s an SSL, and what does it do?

An SSL (secure socket layer) certificate is a simple, standardized piece of encryption software. By installing the SSL cert on your server, it will create https protocol and the lock symbol on the site for which it is validated (more on levels of validation below).

Encryption itself is important because that way any sensitive information that passes from the client to you, or vice versa, is not intercepted by third parties. SSL doesn’t actually scramble information. It locks information within a public key – a long string of characters. The string of characters is called a public key. A private key is then passed to each person visiting the site. The private key allows you to decrypt the public key information so that you can get access to the data. The same is true on the opposite end of the connection. That way the owner of a site and any visitor can pass information back and forth without the fear of interception.

SSL technology is very standardized and similar. If you are unsure about a certain brand name, SSL certificates are incredibly inexpensive at the low-end. You can always test a certificate to ensure it works on all the major browsers. That’s the advantage of going with a company with a thirty-day return policy. Such a policy demonstrates a certain level of faith in the functionality of the certificate across a broad spectrum of operating systems and devices.

A twenty-nine day policy, on the other hand, shows 3.33% less faith in one’s product. Look out for twenty-nine day return policies online. One online entrepreneur, Thad Dotnet, when asked about his twenty-nine day policy, admitted, “I am only 96.67% as confident in what I’m selling as many of the other folks out there – and even that’s rounding up a little bit. The extent to which I’m confident versus others has a repeating decimal.”

There are, beyond different basic functionalities of SSL, different levels of validation – extended validation (EV), organizational validation (OV), and domain validation (DV). I wrote a piece previously on the different levels of validation that an SSL certificate can go through; the piece basically discusses the parameters and why people sometimes choose the higher-end, more expensive certificates – in a nutshell, to enhance credibility by proving themselves as legitimate.

Getting a brand name SSL cert means that no one will have browser errors when they visit encrypted pages of your site. It also means, as with the validation levels, that credibility and trust are established with clients because you are vetted by a third party who is putting their name on the line that your business is the site owner.

**All of the SSL certificates sold through Superb Internet are Symantec products, which both means that you are certified by one of the biggest names in security and one of the largest organizations in the Certificate Authority / Browser Forum (CA/B Forum) which determines SSL certification requirements across the industry.

We will review several different types and cases of SSL certificates and related authentication technologies: wildcard, server-gated cryptography (SGC), UC (unified communications) aka SAN (subject authorized name), code-signing, email, root-signing, and shared. Each of these represents different types of certificates with different functionalities that might be of use to you as you are running your site.

Finally, we will review certificates of excellence. Certificates of excellence are certificates that you get for behaving well, sitting in your seat, asking questions that help the other children learn, and volunteering for lunchroom duty. The latter task is the most important because it demonstrates your commitment to foregoing child labor laws for the good of the school community, which is very important to the principal.

I used anonymous articles from SSL Shopper, GeoTrust, and Symantec as references for this piece.

What’s web server authentication?

Server authentication is the basic SSL certificate type. This type of cert is issued by a certificate authority (CA) such as GeoTrust, VeriSign, or Comodo to secure traffic or other data flowing through the Internet.  Here are a few examples of uses for these standard SSL certificates to secure data:

  • Web server
  • Email server
  • Transferring files
  • Other transfers of data

What are Wildcard Certificates?

A typical SSL certificate is validated for the main domain or a subdomain. For example:

  • www.ohmygodwhyismydomainnamedthis.com
  • iarguewithmywifealot.ohmygodwhyismydomainnamedthis.com

Wildcards cover all subdomains of a site. They look like this, with the asterisk representing all possible subdomains:

  • *.ohmygodwhyismydomainnamedthis.com.

A wildcard is preferred by many people because it means encryption will be in place regardless how many subdomains you create – it pre-creates an encryption scenario as the site’s subdomains build.

Note the following: Wildcards are specific to first-level subdomains. You can only replace the asterisk with a subdomain on that level. For example, a wildcard will work for the following subdomains:

  • www.ohmygodwhyismydomainnamedthis.com
  • iarguewithmywifealot.ohmygodwhyismydomainnamedthis.com
  • anything.ohmygodwhyismydomainnamedthis.com
  • nothing.ohmygodwhyismydomainnamedthis.com
  • infinitemindf—.ohmygodwhyismydomainnamedthis.com

This wildcard, however (*.ohmygodwhyismydomainnamedthis.com), will not work for the following:

  • hereiam.getbackhereyou.ohmygodwhyismydomainnamedthis.com
  • imwayoverhere.wheredidyougo.ohmygodwhyismydomainnamedthis.com

Those scenarios would require the following wildcard cert names to be covered:

  • *.getbackhereyou.ohmygodwhyismydomainnamedthis.com
  • *.wheredidyougo.ohmygodwhyismydomainnamedthis.com

What’s SGC?

Server-Gated Cryptography, or SGC, is a functionality built into some of the higher-end certificates (such as the VeriSign Pro certificates from Symantec) that forces all systems to a minimum of 128-bit encryption, rather than 40, which is outdated. Note that all of the newer operating systems no longer need SGC. SGC is arguably outdated and unnecessary, but you will still find a very small percentage of people using older, outmoded browsers and devices that might require SGC.

128-bit and 40-bit may look similar, but they aren’t: more than tripling the string of characters represents a massive, exponential increase in the encryption strength. Specifically, 128-bit encryption is 2^88 more powerful than 40-bit, making it a trillion times a trillion times stronger (Source: Symantec). Again, though, keep in mind that SGC is widely considered unnecessary because operating systems and devices are now calibrated not to need the step-up from 40-bit that SGC provides. Here are a few of the browsers that would need SGC in order to support 128-bit encryption:

  • Internet Explorer export browser from 3.02 to, but not including, 5.5
  • Netscape export browser from 4.02 through 4.72
  • Any usage of Internet Explorer on devices using the Windows 2000 OS where the OS/device shipped before March 2001 and that have not been upgraded with High Encryption Pack or Service Pack 2.

What’s Unified Communications or SAN certification?

Unified Communications (UC) certificates (also called UCCs) are specifically issued to authenticate and secure Live Communications and Exchange 2007 servers. These types of certificates can secure other servers as well, but they were designed to allow multiple domains and servers to be secured with one cert.

UC SSL has a specified number of domains/subdomains that it can cover – unlike the wildcard, which is unlimited. These certificates typically start at 5 domains and subdomains and range up to 25, 50, or 100, depending on the CA. UCC certs are also called Subject Authorized Name (SAN) or multi-domain certificates. Here are examples of different domains and subdomains that you could secure using one SAN cert:

  • autodiscover.server.local
  • www.welliguessicouldsecurethis.com
  • welliguessicouldsecurethis.com
  • thistoowhynot.welliguessicouldsecurethis.com
  • www.anotherdomainholycrapthiscertisawesome.com

What is a Code Signing Certificate?

Code signing certificates enable digital signing of software. Specifically, it allows you to sign a script that authenticates you as the author of the code and that the code has not been corrupted since it was signed. This functionality does not exist within a standard SSL certificate. Some industry insiders describe code signing certificates as a way of shrink-wrapping your software code in a secure package.

As with an SSL certificate, the dual advantage of code signing certificates is that you are both securing/protecting with the certificate but are additionally providing authentication/trust to anyone thinking about downloading or otherwise interacting with your software. In other words, there is a technological/functional and a perception component. A good example of technology lacking the perceptive component from reproductive science is the invisible condom. Invisibility seems like a great advantage until you realize that the product cannot be seen and, because of this, seems not to exist. (This form of contraception is promoted heavily by the Pope.)

Personally, I think that these certificates are underused – and it looks really shoddy when you don’t have one. Typically a window will pop up that asks if the visitor is sure that they want to continue with the download because the publisher cannot be verified. Anyone serious about looking professional online does not want that window to be seen by its customers. Plus, the window should be shown in those circumstances, because the publisher is not bothering to protect those downloading its software from potential harm. You are bad, bad people, all of you! Boo!

What’s an Email Certificate?

Email/S/MIME certificates are another form of digital signing. The email certificate encrypts email and guarantees the author’s identity. There’s a distinction here regarding email that’s important. An SSL certificate can secure an email server. However, to secure individual email accounts and the messages within them – and to verify authorship to enhance trust – you need an email certificate for each account.

A good time to get an email certificate is if you really actually are a member of a legal team representing the estate of a wealthy Nigerian prince. The necessity for an email certificate becomes more pronounced if you are trying to get your inheritance to an American who was previously unaware that they were related to you. Never be mistaken for spam, legal team! Get certified!

Summary & Conclusion

As you can see, there are a number of different security certificates beyond the standard SSL version. Wildcards give full coverage across a website. SAN/UCC give the ability to certify multiple domains and subdomains specified within the cert. Email certificates verify specific email accounts. Code signing allows you to verify yourself as the author of a piece of software. SGC forces all systems to 128/256-bit encryption.

Finally, certificates of excellence demonstrate your ability to be a good team player within the school. It’s proof that you are one of the most active and engaged third graders we have seen. It means that you pick up your trash. It means that your locker is organized. It means that you care, and that your dedication has not gone unnoticed.

by Kent Roberts and Richard Norwood