Tag Archives: SSL

SSL Certificate Types & Being an Outstanding 3rd-Grader

Cryptographically secure pseudorandom number g...

What’s an SSL, and what does it do?

An SSL (secure socket layer) certificate is a simple, standardized piece of encryption software. By installing the SSL cert on your server, it will create https protocol and the lock symbol on the site for which it is validated (more on levels of validation below).

Encryption itself is important because that way any sensitive information that passes from the client to you, or vice versa, is not intercepted by third parties. SSL doesn’t actually scramble information. It locks information within a public key – a long string of characters. The string of characters is called a public key. A private key is then passed to each person visiting the site. The private key allows you to decrypt the public key information so that you can get access to the data. The same is true on the opposite end of the connection. That way the owner of a site and any visitor can pass information back and forth without the fear of interception.

SSL technology is very standardized and similar. If you are unsure about a certain brand name, SSL certificates are incredibly inexpensive at the low-end. You can always test a certificate to ensure it works on all the major browsers. That’s the advantage of going with a company with a thirty-day return policy. Such a policy demonstrates a certain level of faith in the functionality of the certificate across a broad spectrum of operating systems and devices.

A twenty-nine day policy, on the other hand, shows 3.33% less faith in one’s product. Look out for twenty-nine day return policies online. One online entrepreneur, Thad Dotnet, when asked about his twenty-nine day policy, admitted, “I am only 96.67% as confident in what I’m selling as many of the other folks out there – and even that’s rounding up a little bit. The extent to which I’m confident versus others has a repeating decimal.”

There are, beyond different basic functionalities of SSL, different levels of validation – extended validation (EV), organizational validation (OV), and domain validation (DV). I wrote a piece previously on the different levels of validation that an SSL certificate can go through; the piece basically discusses the parameters and why people sometimes choose the higher-end, more expensive certificates – in a nutshell, to enhance credibility by proving themselves as legitimate.

Getting a brand name SSL cert means that no one will have browser errors when they visit encrypted pages of your site. It also means, as with the validation levels, that credibility and trust are established with clients because you are vetted by a third party who is putting their name on the line that your business is the site owner.

**All of the SSL certificates sold through Superb Internet are Symantec products, which both means that you are certified by one of the biggest names in security and one of the largest organizations in the Certificate Authority / Browser Forum (CA/B Forum) which determines SSL certification requirements across the industry.

We will review several different types and cases of SSL certificates and related authentication technologies: wildcard, server-gated cryptography (SGC), UC (unified communications) aka SAN (subject authorized name), code-signing, email, root-signing, and shared. Each of these represents different types of certificates with different functionalities that might be of use to you as you are running your site.

Finally, we will review certificates of excellence. Certificates of excellence are certificates that you get for behaving well, sitting in your seat, asking questions that help the other children learn, and volunteering for lunchroom duty. The latter task is the most important because it demonstrates your commitment to foregoing child labor laws for the good of the school community, which is very important to the principal.

I used anonymous articles from SSL Shopper, GeoTrust, and Symantec as references for this piece.

What’s web server authentication?

Server authentication is the basic SSL certificate type. This type of cert is issued by a certificate authority (CA) such as GeoTrust, VeriSign, or Comodo to secure traffic or other data flowing through the Internet.  Here are a few examples of uses for these standard SSL certificates to secure data:

  • Web server
  • Email server
  • Transferring files
  • Other transfers of data

What are Wildcard Certificates?

A typical SSL certificate is validated for the main domain or a subdomain. For example:

  • www.ohmygodwhyismydomainnamedthis.com
  • iarguewithmywifealot.ohmygodwhyismydomainnamedthis.com

Wildcards cover all subdomains of a site. They look like this, with the asterisk representing all possible subdomains:

  • *.ohmygodwhyismydomainnamedthis.com.

A wildcard is preferred by many people because it means encryption will be in place regardless how many subdomains you create – it pre-creates an encryption scenario as the site’s subdomains build.

Note the following: Wildcards are specific to first-level subdomains. You can only replace the asterisk with a subdomain on that level. For example, a wildcard will work for the following subdomains:

  • www.ohmygodwhyismydomainnamedthis.com
  • iarguewithmywifealot.ohmygodwhyismydomainnamedthis.com
  • anything.ohmygodwhyismydomainnamedthis.com
  • nothing.ohmygodwhyismydomainnamedthis.com
  • infinitemindf—.ohmygodwhyismydomainnamedthis.com

This wildcard, however (*.ohmygodwhyismydomainnamedthis.com), will not work for the following:

  • hereiam.getbackhereyou.ohmygodwhyismydomainnamedthis.com
  • imwayoverhere.wheredidyougo.ohmygodwhyismydomainnamedthis.com

Those scenarios would require the following wildcard cert names to be covered:

  • *.getbackhereyou.ohmygodwhyismydomainnamedthis.com
  • *.wheredidyougo.ohmygodwhyismydomainnamedthis.com

What’s SGC?

Server-Gated Cryptography, or SGC, is a functionality built into some of the higher-end certificates (such as the VeriSign Pro certificates from Symantec) that forces all systems to a minimum of 128-bit encryption, rather than 40, which is outdated. Note that all of the newer operating systems no longer need SGC. SGC is arguably outdated and unnecessary, but you will still find a very small percentage of people using older, outmoded browsers and devices that might require SGC.

128-bit and 40-bit may look similar, but they aren’t: more than tripling the string of characters represents a massive, exponential increase in the encryption strength. Specifically, 128-bit encryption is 2^88 more powerful than 40-bit, making it a trillion times a trillion times stronger (Source: Symantec). Again, though, keep in mind that SGC is widely considered unnecessary because operating systems and devices are now calibrated not to need the step-up from 40-bit that SGC provides. Here are a few of the browsers that would need SGC in order to support 128-bit encryption:

  • Internet Explorer export browser from 3.02 to, but not including, 5.5
  • Netscape export browser from 4.02 through 4.72
  • Any usage of Internet Explorer on devices using the Windows 2000 OS where the OS/device shipped before March 2001 and that have not been upgraded with High Encryption Pack or Service Pack 2.

What’s Unified Communications or SAN certification?

Unified Communications (UC) certificates (also called UCCs) are specifically issued to authenticate and secure Live Communications and Exchange 2007 servers. These types of certificates can secure other servers as well, but they were designed to allow multiple domains and servers to be secured with one cert.

UC SSL has a specified number of domains/subdomains that it can cover – unlike the wildcard, which is unlimited. These certificates typically start at 5 domains and subdomains and range up to 25, 50, or 100, depending on the CA. UCC certs are also called Subject Authorized Name (SAN) or multi-domain certificates. Here are examples of different domains and subdomains that you could secure using one SAN cert:

  • autodiscover.server.local
  • www.welliguessicouldsecurethis.com
  • welliguessicouldsecurethis.com
  • thistoowhynot.welliguessicouldsecurethis.com
  • www.anotherdomainholycrapthiscertisawesome.com

What is a Code Signing Certificate?

Code signing certificates enable digital signing of software. Specifically, it allows you to sign a script that authenticates you as the author of the code and that the code has not been corrupted since it was signed. This functionality does not exist within a standard SSL certificate. Some industry insiders describe code signing certificates as a way of shrink-wrapping your software code in a secure package.

As with an SSL certificate, the dual advantage of code signing certificates is that you are both securing/protecting with the certificate but are additionally providing authentication/trust to anyone thinking about downloading or otherwise interacting with your software. In other words, there is a technological/functional and a perception component. A good example of technology lacking the perceptive component from reproductive science is the invisible condom. Invisibility seems like a great advantage until you realize that the product cannot be seen and, because of this, seems not to exist. (This form of contraception is promoted heavily by the Pope.)

Personally, I think that these certificates are underused – and it looks really shoddy when you don’t have one. Typically a window will pop up that asks if the visitor is sure that they want to continue with the download because the publisher cannot be verified. Anyone serious about looking professional online does not want that window to be seen by its customers. Plus, the window should be shown in those circumstances, because the publisher is not bothering to protect those downloading its software from potential harm. You are bad, bad people, all of you! Boo!

What’s an Email Certificate?

Email/S/MIME certificates are another form of digital signing. The email certificate encrypts email and guarantees the author’s identity. There’s a distinction here regarding email that’s important. An SSL certificate can secure an email server. However, to secure individual email accounts and the messages within them – and to verify authorship to enhance trust – you need an email certificate for each account.

A good time to get an email certificate is if you really actually are a member of a legal team representing the estate of a wealthy Nigerian prince. The necessity for an email certificate becomes more pronounced if you are trying to get your inheritance to an American who was previously unaware that they were related to you. Never be mistaken for spam, legal team! Get certified!

Summary & Conclusion

As you can see, there are a number of different security certificates beyond the standard SSL version. Wildcards give full coverage across a website. SAN/UCC give the ability to certify multiple domains and subdomains specified within the cert. Email certificates verify specific email accounts. Code signing allows you to verify yourself as the author of a piece of software. SGC forces all systems to 128/256-bit encryption.

Finally, certificates of excellence demonstrate your ability to be a good team player within the school. It’s proof that you are one of the most active and engaged third graders we have seen. It means that you pick up your trash. It means that your locker is organized. It means that you care, and that your dedication has not gone unnoticed.

by Kent Roberts and Richard Norwood