Blogs

    Publish
     
      • Mitä kuluttajan tulisi tietää SSL-varmenteista

        Mar 29 2018, 8:40 PM

        by Jeff Barto 0

        eBusiness Green Bar 400x210.jpg

        1994 tehtiin ensimmäinen verkko-ostos: iso pepperonipizza herkkusienillä ja extrajuustolla, Pizza Hutista. Seuraavien 20 vuoden aikana verkkokauppatalous on ollut vilkasta ja 2013 myynti ylitti 1,2 biljoonaa Yhdysvaltain dollaria.

        Verkkokaupankäynnin kasvu perustuu luottamukseen. Kuluttajat luottavat sivustojen pitävän kirjaa rahavirrasta, ja että ostosten tekeminen on turvallista ja laillista suurimmaksi osaksi Secure Socket Layer (SSL) –varmenteiden ansiosta, joka tunnetaan myös pienenä vihreänä lukkona osoitekentässä.

        SSL-varmenteet varmistavat, että toimittaja on se, kenen he väittävät olevansa. Se osoittaa myös, että yhteys kuluttajan laitteiden ja yrityksen verkkosivujen välillä on turvallinen. SSL-varmenteiden toiminnallisuuden ymmärtäminen on tärkeää välttääkseen huijarien ansaan joutumisen. Sillä loppupeleissä kaikki sivustot – tai SSL-varmenteet – eivät ole luotu tasavertaisiksi.

        Erilaiset varmennetyypit

        Verkkosivustojen omistajat ostavat SSL-varmenteet varmentajalta (Certification Authority, CA). On olemassa kolmen tyyppisiä SSL-varmenteita, joista jokainen tarjoaa eri tasoisen suojan. Ongelma piilee siinä, että vaikka kaikki varmenteet tarjoavat selaimen osoitekenttään tutun turvalukon yhdessä HTTPS-yhteyden (”S” viittaa englannin turvattu-sanaan, ”secure”) kanssa, turvatasot vaihtelevat suurestikin. Tämän vuoksi on tärkeää ymmärtää millaista SSL-varmennetta sivusto käyttää ennen, rahallisen liiketoimen harjoittamista tai ylipäätään mitään, johon liittyy henkilökotaiset käyttäjätiedot.

        • Domain validated eli domainvarmennettu (DV):  Tämä vahvistaa sivuston omistajan. Prosessi on yksinkertainen, jossa varmentaja eli CA toimittaa sähköpostin siihen sähköpostiosoitteeseen, jolla sivusto on rekisteröity identiteetin vahvistaakseen. Yrityksestä itsestään ei vaadita tietoja. Verkkorikolliset käyttävät yleensä DV-varmenteita, koska ne on helppo hankkia ja sen avulla sivustosta saa turvallisemman kuvitelman kuin onkaan.  Huijarit saattavat käyttää DV-varmenteita houkutelleksaan kuluttajia tietojenkalastelusivustoille, jotka näyttävät aidoilta tai kopioidakseen jonkun sivuston näyttämään tunnetulta sivustolta, mutta jonka tarkoitus on varastaa henkilökohtaisia tietoja.
        • Organizationally validated eli yritysvarmennettu (OV): Saadakseen OV-varmenteen varmentajan on varmennettava tiettyjä tietoja, kuten yrityksen olemassaolon yritysrekisteristä, sen fyysisen sijainnin ja verkkosivuston omistajan. Prosessi kestää yleensä muutaman päivän.
        • Extended validation (EV): Tällä varmenteella on korkein suojaustaso ja se on helpoiten havaittavissa. Myöntääkseen EV-varmenteen varmentaja suorittaa hakijasta tehostetun tarkistusprosessin kasvattaakseen yrityksen luottamusta. Tarkistusprosessissa käydään läpi yrityksen asiakirjat, varmennetta hakevan henkilön identiteetin tarkistus ja tietojen tarkistus kolmannen osapuolen tietokannasta. Turvalukon ja HTTPS:n lisäksi EV-varmenteella suojattu sivusto muuttaa osoitekentässä olevan yrityksen nimen vihreäksi.

        Huomaatko eron?

        norton-communiy.png

        Viimeisin osoite on selvästi suojattu EV-varmenteella. Ensimmäinen on DV-varmenne ja keskimmäinen OV-varmenne, jotka näyttävät verrattaessa identtisiltä.

        Mitä voi tehdä pysyäkseen turvassa?

        Nyt kun tiedetään mikä SSL-varmenne on ja sen kolme eri tyyppiä, ja että DV-varmenteella suojattu sivusto on huijatuksi tulemisen riskialueella, kuinka käyttäjät voivat pienentää riskiä shoppaillessaan ja naputellessaan muuta kriittistä tietoa verkossa?

        1. Ole varuillasi! Vaikka sivustolla olisi turvalukko tai osoiterivin alussa “https” ei tee sivustoa turvalliseksi rahaliikenteelle. Käyttäjät ovat oppineet etsimään näitä kahta ennen tapahtuman läpiviemistä ja juuri tästä syystä verkkorikolliset näkevät vaivan hankkia SSL-varmenteen – näyttääkseen aidolta sivustolta.
        2. Opettele erottamaan, mitä varmennetyyppiä sivusto käyttää. Etsi ensimmäiseksi visuaalisia vihjeitä, kuten lukkosymbolia ja osoitekentän vihreää väriä. Ainoastaan EV-varmennetut sivustot ilmoittavat yrityksen nimen osoitekentässä. Selaimet eivät osaa erottaa DV-varmennetta OV-varmenteesta. Norton on luonut ilmaisen työkalun (https://safeweb.norton.com/) varmenteiden erottamiseksi. Kopioi verkkosivun osoite suoraan työkalun kenttään ja se kertoo, mitä varmennetyyppiä sivusto käyttää ja kuinka turvallinen sivusto on kyseessä.
        3. Asioi ainoastaan OV- ja EV-varmenteilla suojatuilla sivustoilla. DV-varmenteille on aikansa ja paikkansa, mutta niitä ei tulisi käyttää kaupallisilla sivustoilla. Jos käyt testaamassa osoitteen Nortonin työkalulla ((https://safeweb.norton.com/) ja tuloksena on DV-varmenne, mieti kahdesti ennen kuin asioit pidemmälle kyseisellä sivulla. Jos kyseessä on OV- tai EV-varmennettu sivusto tiedät, että yrityksen tiedot ovat tarkistettu.

        Verkkoshoppailu ei ole katoamassa mihinkään. Niin kauan kun ala ei vaadi OV- ja EV-varmenteiden käyttöä kuluttajien on kannettava kortensa kekoon riskien minimoimiseksi verkossa.  Kun riskit on tiedossa, kuluttajat jäävät mitä pienemmällä todennäköisyydellä tietojenkalastelijoiden ansaan.

        Lisätietoja SSL-varmenteista löytyy hiljattain julkaistusta Symantec whitepaperista (https://www.symantec-wss.com/us/ecommerce-security#.VSfVctW3dYZ) tai vierailemalla Trust Services (https://www.symantec.com/ssl-certificates/) –sivustollamme.

        Alkuperäinen teksti: https://community.norton.com/en/blogs/norton-protection-blog/ssl-certificates-what-consumers-need-know

        • Products
        • website security solutions
        • DigiCert SSL TLS Certificates
        • Products and Solutions
        • Symantec Website Security
      • Microsoft’s launch of Certificate Reputation

        Apr 17 2015, 9:51 PM

        by Dean Coclin 0

        A few weeks ago, Microsoft launched a new addition to their Bing Webmaster Tools which allows website operators to monitor their web domains to help insure there are no improperly issued SSL certificates.

        This is a great benefit to those owners because:

        1. It’s easy to use and Microsoft monitors this for free

        2. The Certificate Authorities do not need to do anything special. Certificates are automatically monitored by Microsoft

        3. It’s integrated into the Bing Webmaster toolset. There is no need to sign up separately for the service

        4. It works for all types of SSL certificates, not just EV

        However, there are a few limitations today:

        1. This is currently a “preview” and only collects data from users on Windows 10 which itself is currently only in a preview release. Hence the data is limited. However, this will improve with the formal release of Windows 10.

        2. The data that Microsoft is gathering is not made public which prevents the public at large from also seeing the certificates. However, the need being addressed is that of website owners.

        More details are in this Microsoft blog.

        Trust continues to be enhanced in the Browser/Certificate Authority ecosystem (as discussed in this prior blog) and Certificate Reputation is another tool (along with Certificate Authority Authorization-CAA, Certificate Transparency-CT, and Public Key Pinning) along this path.

        • Products
        • Symantec Enterprise Security
        • Thought Leadership
        • Symantec Website Security
        • SSL
        • Identity and Authentication Services
        • DigiCert Code Signing
        • certificates
        • Security Community Blog
      • DV SSL Certificates and Ecommerce don't mix

        Mar 29 2018, 10:31 PM

        by Dean Coclin 0

        Symantec’s just released Internet Security Threat Report shows that cybercriminals have been busier than ever. And social engineered attacks are one vector that continue to see growth due to the likelihood of success. Although the attacks come in different forms, one approach fools unsuspecting users to click a link which takes them to a “look-a-like” website. That imitation site is typically a highly-phished domain, (i.e. Apple ID or a popular bank or credit card site). But now, to prove their legitimacy, phishers obtain Domain Validated (DV) SSL certificates because they know that consumers have been trained to look for the padlock or “https” in the browser URL window. The appearance of this lock further legitimizes the attack and tricks consumers into disclosing their credentials or banking/credit card details.

        There are three types of SSL certificates, each requiring a different level of authentication: DV, OV and EV. Understanding the differences among each SSL certificate type is important to help prevent falling victim to scammers. For example, DV certificates are quick and easy to procure and don’t require any type of information indicating the person trying to get the DV certificate actually represents a legitimate business. Fraudsters often use DV certificates to lure consumers to phishing websites that look authentic but are designed to steal sensitive information. For this reason, doing any type of ecommerce transaction on a DV-only site poses risk. While there are appropriate use cases for DV certificates, it’s important to know how cybercriminals are taking advantage of DV certificates to conduct phishing scams and how to protect against these types of cybercriminal attacks.

        Online shopping isn’t going away. Until the industry requires an OV or EV certificate for e-commerce sites or an easier way to identify the types of certificates, consumers will have to bear some of the burden of combatting cyber risks. Knowing the risks ahead of time, however, is half the battle. 

        • Products
        • Public Key Infrastructure (PKI)
        • Symantec Enterprise Security
        • Thought Leadership
        • SSL
        • Identity and Authentication Services
        • DigiCert SSL TLS Certificates
        • Security Community Blog
      • How the Private and Public Key Pair Works

        Oct 20 2017, 8:30 PM

        by Charlotte Pommier 0

        Did you know this month was “couple appreciation month”? Let’s use this as an opportunity to explain in simple words how the security of an online transaction relies on a happy, inseparable couple: a public key and a private key.

        Public keys and private keys are part of a general structure we call PKI – Public Key Infrastructure. The SSL and TLS protocols, which are globally used to secure not only websites, but also emails and web applications, are based on this structure. So we might as well say that there are thousands and thousands of public and private keys in operation right now around the world!

        Keys are used in algorithms to encrypt and decrypt data. You may think the same key is used to encrypt and decrypt, but there’s a twist: there are algorithms in this world which are able to encrypt data with one key… and decrypt it only with the help of another key! Magical, isn’t it? (For those who don’t believe in magic, you can read more about trapdoor functions here). In the case of SSL, one key – the public key - is used to encrypt data; only the corresponding private key can decrypt it. What a lovely (and useful) couple.

        Couple_Appreciation_1.png

        In the SSL protocol, public keys and private keys are generated by servers. The private key remains locked and secure in the server, while the public key is pinned to the server’s SSL certificate. Whenever a browser connects to the server, the server sends its SSL certificate which contains the public key. The browser can then use this public key to encrypt data and send it to the server, which is now the only one able to decrypt such data thanks to its private key.

        Both keys are inseparable, and of course each pair is unique: the public key belongs to its corresponding private key and only to this one.

        Couple_Appreciation_2.png

        Public and private keys are essential to the security of our exchanges. Thanks to them, we don’t have to worry about someone eavesdropping on our conversations. But there is still a major issue: what if a hacker intercepts the server’s public key, and sends their own public key instead?

        What guarantees the browser that the public key received is actually the public key from the server it wanted to reach?  This is why Certification Authorities like Symantec play an essential role: CAs authenticate servers and their public key through a unique document called the SSL certificate!

        If you’re curious about SSL and more specifically about how SSL certificates work, you can find more

        • Products
        • website security solutions
        • DigiCert Complete Website Security
        • Products and Solutions
        • Symantec Website Security
      • Enhancing Trust in the CA/Browser System

        Apr 13 2015, 5:40 PM

        by Dean Coclin 0

        Stop Hand.jpg

        Browsers and Certificate Authorities are in the news again over the reported mis-issuance of an SSL server certificate to google.com domains. Discovered by Google most likely via technology known as key pinning and discussed by Google’s Adam Langley in this blog, a Chinese certificate authority, CNNIC (Chinese Internet Network Information Center), apparently issued an intermediate certificate to an Egyptian company called MCS Holdings. Because the CNNIC root certificate is included in the root store of most major browsers, users would not see any warnings on sites that have certificates issued by CNNIC or MCS Holdings. When MCS installed their intermediate into a Man in the Middle (MITM) proxy device, that device could then issue certificates for sites which users connected via that proxy would visit.

        There are several violations of the CA/B Forum Baseline Requirements and Mozilla Root Program Requirements here. First, Mozilla specifically prohibits using public roots for MITM applications. (While there may be legitimate corporate use cases for these proxy devices, using public root certificates as part of the implementation is prohibited and is a violation of public trust). Second, any sub CA certificates (issued from the Root) must be publicly disclosed and audited or be technically constrained(using the technology known as “name constraints” which limits the domains which the CA can issue to. Neither appears to be the case here. Third, indications are that the key was not generated and stored in a proper Hardware Security Module (HSM). There are several other mistakes as well but these are the major ones.

        CNNIC documents show that the sub CA certificate was only issued for a short duration and was to be used for test purposes only. While this may be the case, it ignores the reality that the misuse of such a certificate can cause great harm to end users. Users can be deceived to go to a fraudulent website and have their credentials stolen. The fact that bogus certificates found their way onto the public Internet due to this “test” makes it clear that improper controls were in place at both CNNIC and MCS Holdings as well as a limited understanding of the rules surrounding public CAs.

        The major browsers quickly moved to un-trust the MCS Holdings certificate to protect their users from potential fraud. MCS sent a report to Mozilla with their assessment of the situation. Google has announced that they are taking action to distrust the CNNIC root certificates.  Google will “whitelist” all existing CNNIC certificates and has provided a path for re-inclusion into their browser by insisting all future certificates use Certificate Transparency.  Firefox will be updated to distrust any CNNIC certificate with a notBefore date of April 1, 2015. The current CNNIC root will remain in the Mozilla root store to validate current certificates and CNNIC can reapply for full inclusion but may be subject to additional scrutiny and controls during the process. This is essentially a punishment for violating the Baseline Requirements and the Mozilla root program rules.  Microsoft is still evaluating whether to take further action than just distrusting the MCS Holdings Intermediate certificate. No word from Apple so far.

        Three recently introduced technologies and controls namely Certificate Authority Authorization (CAA) and Certificate Key Pinning (HPKP), which are designed to prevent mis-issuance, and Certificate Transparency (CT) which is designed to detect mis-issuance, significantly raise the level of security of the CA/Browser cryptography system. CT and HPKP are being implemented by some browsers and CAA is a function that CAs will have to deploy.

        What is the lesson learned here? Not all CAs are created equal. Clearly CNNIC broke the rules and got caught. Whether it was intentional or not is being debated in the public. It doesn’t appear from the evidence that this was intentionally malicious. Symantec and all the SSL issuing CAs are held to high standards with regard to the ecosystem rules including CA/B Forum Baseline Requirements, Network Security controls, and Mozilla, Microsoft, Google, Apple and other root program requirements. We have strict controls in place to insure sub CA certificates are either disclosed or constrained, have strong and knowledgeable vetting and authorization teams, obtain regular audits from accredited WebTrust auditors and work closely with the major browser vendors in the CA/B Forum. While we do issue sub CA certificates to third parties, we are well aware of the strict rules surrounding this practice and the need to remain vigilant. Symantec supports the use of CT, CAA, and HPKP technologies and urges adoption by all participants in the ecosystem.  In the end, it matters which CA you choose so pick one that has a long track record and invests in its infrastructure to insure its customers are protected.

        • Products
        • Public Key Infrastructure (PKI)
        • Symantec Enterprise Security
        • Thought Leadership
        • SSL
        • Identity and Authentication Services
        • Security Community Blog
        • Managed PKI for SSL
      • SSL Certificates: What Consumers Need to Know

        Apr 29 2015, 11:24 PM

        by Dean Coclin 1

        In 1994, the first online purchase crossed the World Wide Web: a large pepperoni pizza with mushrooms and extra cheese from Pizza Hut. Over the next 20 years, e-commerce has exploded into a bustling economy, exceeding $1.2 trillion in sales in 2013.

        This growth in online purchases rests upon a foundation of trust. People trust that the websites they use to track finances and make online purchases are secure and legitimate largely because of Secure Socket Layer (SSL) certificates- otherwise known as that little green padlock in the URL bar of the browser.

        SSL certificates verify that the provider is who they claim to be and also indicate secure connections between personal devices and company websites. Understanding SSL certificates is important to help prevent falling victim to scammers. Because at the end of the day, not all sites, or SSL certificates, are created equal.

        Different types of certificates

        Website owners purchase SSL certificates through Certification Authorities (CA). There are three different types of SSL certificates, each providing a different level of security. The problem is that, even though all of these certificates provide the safety padlock in the URL bar of a browser, along with the HTTPS (“S” indicating “secure”) in the address bar,  the levels of security between types of certificates differ greatly. This is why it is important to understand what kind of SSL certificate a site is using when looking to perform financial transactions or anything involving personal user data.

        • Domain validated (DV): This simply verifies who owns the site. It’s a simple process where the CA will send an email to the website’s registered email address in order to verify their identity. No information about the company itself is required. Cybercriminals commonly use DV certificates because they are easy to obtain and can make a website appear more secure than it actually is. For instance, fraudsters may use DV certificates to lure consumers to phishing websites that look authentic, or to cloned websites that look legitimate, but are designed to steal sensitive information.
        • Organizationally validated (OV): To receive an OV certificate, a CA must validate certain information, including the organization, physical location and its website’s domain name. This process typically takes a couple of days.
        • Extended validation (EV): This certificate has the highest level of security and is the easiest to identify. In order to issue an EV certificate, the CA performs enhanced review of the applicant to increase the level of confidence in the business. The review process includes examination of corporate documents, confirmation of applicant identity and checking information with a third-party database. In addition to adding the padlock in the URL bar of the browser, the “S” part of HTTPS, this adds the company’s name in green in the browser URL bar.

        Can you tell the difference?

        SSL.jpg

        Clearly, the last URL is an EV certificate. The first is the DV certificate and the second is an OV certificate, which both look identical to each other.

        What can people do to stay safe?

        Now knowing what a SSL certificate is, the three different types, and that DV-enabled sites pose a risk for scams, how can users reduce the risk of shopping or performing other sensitive transactions online?

        1. Be aware! Just because a website has the padlock or “https” next to a URL doesn’t make it safe for financial transactions. Users have learned to look for those two things before conducting a transaction, which is exactly why cybercriminals are going through the trouble of obtaining SSL certificates in the first place – to look like a legitimate site.
        2. Know how to look for the type of SSL certificate a website has. As a first step, look for visual cues indicating security, such as a lock symbol and green color in the address bar. Only EV-enabled websites include the company name in the web address bar. Browsers do not distinguish a DV certificate from an OV certificate, however. To make it easy to tell the difference, Norton has created a free tool. You simply paste a URL directly into the tool and it will tell you if the site is DV-, OV- or EV-enabled, with results clearly highlighting how safe a site is.
        3. Only conduct transactions and provide sensitive data to sites that have OV or EV certificates. There’s a time and place for DV certificates, but that doesn’t include using them for e-commerce sites. If you drop a URL into the Norton tool and the tool reports that the site has a DV certificate, rethink conducting any type of transaction via that site. If it’s an OV or EV certificate site, you know that the business information has been confirmed.

        Let’s face it – online shopping isn’t going away. Until the industry requires an OV or EV certificate for e-commerce sites or an easier way to identify the types of certificates, people will have to bear some of the burden of combatting cyber risks. Knowing the risks ahead of time, consumers are less likely to be duped by phishing websites.

        Readers can find more information on SSL certificates in this recent Symantec whitepaper or by visiting our Trust Services page.

        • Products
        • DigiCert Code Signing
        • Symantec Enterprise Security
        • Thought Leadership
        • Security Community Blog
        • Symantec Website Security