How to Choose

A Certificate Authority For

Safer Web Security
WHITE PAPER

How to Choose A Certificate Authority For Safer Web Security

The Role of Certificate Authorities
WHY DO SITES NEED TO BE TRUSTED?
As use of the Internet has become increasingly commonplace
and crucial to a wide range of applications, criminals have found
an ever-growing group of people they can target. Criminals are
exploiting Internet users in many ways, including:

using social engineering, bogus links, spam and phishing to

Padlock icon: The most common sign that a site is more

trustworthy than others coincides with the use of https
rather than http as the prefix to the pages web address
and a padlock icon.

Green address bar: More recently, users have become

aware that the highlighting of part of the address bar
denotes even greater security.

direct people to fraudulent websites that resemble the sites

Behind the scenes, the https is an indicator that the page is

that they frequently use.

being viewed using a secure connection to the site owners

setting up websites to be malicious destinations.

hijacking user accounts and information by intercepting
the data shared between people and websites through
man-in-the-middle attacks such as the well-known
Firesheep plug-in.

fooling people into consciously or unconsciously giving up

confidential details that can then be used for fraudulent
purposes.

putting malware onto a users computer that quietly turns

the machine into a tool for further crime.

spoofing a domain, which may allow a criminal to

impersonate someone sending email from that domain

servers. HTTP Secure (HTTPS) combines the standard HTTP

protocol with the Secure Sockets Layer (SSL) protocol, and its
use shows that the sites servers have been authenticated using
an SSL certificate. HTTPS also shows that the data shared
between people and the site will be encrypted during transit, to
protect it from being seen or intercepted by eavesdroppers.
The coloring of the first piece of the address bar shows that the
sites owner has gone a step further and offered themselves
up for extensive organization vetting and authentication
procedures, to prove the organization behind the site is who they
say they are. By doing so, they will have gained an Extended
Validation (EV) SSL certificate that the browser can recognize,
leading to the special green coloring and the display of more
information than usual about the sites operator and the CA who
authenticated the site.

or spying on their conversations. This is not just a

consumer problem businesses internal email systems
can be compromised in this way too, opening them up to

Get the green address bar

industrial espionage.
Apart from hurting users, this activity is detrimental to the brand
of the real site being spoofed. Trust is harmed when the user no
longer feels safe.

Security status bar toggles between your

organization name and the CA that performed
your Extended Validation authentication.

HOW DO PEOPLE USING THE INTERNET KNOW

WHEN TO TRUST A SITE?
Fortunately, people are becoming increasingly savvy about
the need to trust the sites they are visiting. They may not know
the explicit details of the threats they face when dealing with
malicious or compromised websites, but they are aware that
there are ways to establish trustworthiness, including:

The green address bar shows the name of the business verified to use
this website address and means that this web page is secure.

What Is A CA And What Are the Different

types of SSL Certificates?
The Certificate Authority (CA) is an organization that issues
SSL and EV SSL certificates. You can tell which CA issued a
certificate by clicking the padlock next to the sites URL or in the
case of sites with Extended Validation SSL, the name of CA may
be displayed in the address bar.

the website. Organization Authenticated SSL certificates will

only be issued once the CA has verified the organizations
validity and ownership, and that the applicant is authorized
by the organization to request the certificate. Some
browsers display a blue color in addition to the HTTPS for
these types of certificates.

Extended Validation (EV) certificates. This is the most

visibly trustworthy form of SSL certificate. Extended
Validation certificates require the strongest level of
organization identity vetting. Only CAs who have passed
independent audits are allowed to issue these types
of certificates. This certificate also triggers the highly
recognized green color and the additional security
information in the browser address bar.

How CAs Have Come Under Attack

In recent years, several cases of CAs intermediaries
infrastructure was not up to the task, leading to problems for their
partners and, above all, for their customers. In one notorious
incident, the CA itself was completely compromised, causing
The user can always tell which CA issued a certificate by clicking on the
padlock next to the sites URL.

major browsers to revoke that CAs roots to render all certificates

Different types of SSL certificates offer different levels of site

of business.

authentication:

Entry-level Domain Validated SSL certificates. These

SSL certificates only confirm that the person requesting
the certificate is responsible for the domain being secure
with the certificate. It does not validate the legitimacy of
the entity itself. To issue a domain validated certificate
a CA sends an email to an address associated with the
administrator of the site. The administrator uses a link or
authentication token in the email to validate their domain
and their request for a certificate, and the SSL certificate
is issued. However, this leaves little guarantee that the
applicant is a valid business entity.

Organization Authenticated SSL certificates. These SSL

certificates validate the business entity that stands behind

issued by that CA invalid and ultimately causing that CA to go out

When you choose your CA, you should look for a company that
follows a holistic security approach that encompasses physical,
logical, network and personnel security. In addition, you should
look for a CA that takes the customer and site authentication
process very seriously. If the authentication process is too easy, it
doesnt provide much in the way of identity validation assurance.
A CAs top business priorities should be:

The continual hardening of the infrastructure that protects

the cryptographic keys and system for issuing certificates

Securing a rigorous authentication process that validates

the identity of the certificate requester

As we have seen in the past, insufficient CA security was to

blame for allowing fraudulent certificates to be issued. In such
cases, even genuine certificates had to be treated with suspicion,
and in one case this caused an entire CA to shut down.
Although price certainly plays a role in the purchasing process,
as the multiple recent CA breaches have reminded us, price
should be but one of many factors in selecting a CA.
Several CAs have had to suspend issuing certificates because
their systems were actually breached, or they were unable to
confirm or deny claims of a successful attack. Similarly, a CAs
certificates could be blacklisted by browser providers if the
company does not offer strong enough encryption in its products.

Thawtes Commitment to Security

Thawtes core business is information security and we take
the security of our own infrastructure very seriously. Thawte
has invested in and built the most robust and scalable
certificate authentication, issuance, management and hierarchy
infrastructure in the industry. We believe that the security strength
of our operations is an important part of the value our customers
get when they buy their certificates from us. We are diligent about
monitoring our networks and continuously work to ensure that our
infrastructure remains the gold standard.

THE GOLD STANDARD IN PHYSICAL AND

NETWORK SECURITY

When evaluating a CA, its worth considering the vendors history

Persons fulfilling trusted roles must pass a comprehensive

of trust and security.

background check. We have a process in place to ensure

What Measures Can a CA take to Promote

trust In Its Certificates?
Without rigorous and diligent upkeep of their security
infrastructure, CAs put their customers and the web consumer
community at risk. As recent attacks have demonstrated, a
CA must keep its cryptographic keys secure. Doing so is an
increasingly difficult task, and the ability of a CA to maintain
absolute security is the most critical factor when choosing where
to source your SSL certificates.
Customers should only use a CA that has a strong track record of
trustworthiness and employs measures including:

Facilities that have been designed to withstand attacks

Hardware monitoring and strong network security
Biometrics-based security for the facilities, along with dualaccess control for key systems

Hardware-based systems for cryptographically signing

certificates

Ensuring dual control for the issuing of all certificates with

the vendors name on them

Employing best practices for authenticating domain

ownership

Regular independent audits

employees undergo background checks at least every 5

years. We maintain and enforce control procedures to ensure
the segregation of duties based on job responsibility and to
ensure that multiple trusted persons are required to perform
sensitive tasks.
The physical construction of our Operations Center is
comparable to Government grade protection of military and
intelligence services communications. Our operations use a
tiered approach to our physical environment comprised of 5
or more tiers with increasing levels of security. Individuals are
granted selective access to tiers on only a need to know basis.
The highest tiers require 2 or more authorized people to enter
or remain. Use of video monitoring is employed throughout our
Operations Center.
We use a layered approach to our security architecture

Layer 1: The Outside Firewall

The Front-End (DMZ) behind the outside firewall
Location of Web and outside mail servers
Layer 2: The Inside Firewall
The Back-End behind the inside firewall
Location of the sensitive signing servers and certificate
databases

This architecture provides defense in depth, as an intruder must

pass through or compromise 2 separate firewalls to reach the
back-end.

 Every firewall logs events to disk

Log files are reviewed daily
Log files are retained for future forensic analysis
Firewall logs are regularly reviewed for any unusual
events
We actively monitor our systems for any signs of intrusion
on a 24x7x365 basis. Every component of our infrastructure
is monitored for security compromises or attempted security
compromises. In the event of a detected compromise, our
monitoring system is able to notify the appropriate personnel for
action. Notification is by multiple methods, such as e-mail alert,
pager alert, and console monitoring.
Logs are generated for:

Routers, firewalls and network machines

Database activities and events
Transactions
Operating systems
Access Control Systems
Mail servers

Security-related events including:

Successful and unsuccessful PKI system access attempts
PKI and security system actions performed by the
CA personnel

Security sensitive files or records read, written or deleted

Security profile changes
System crashes, hardware failures and other anomalies
Firewall and router activity
CA facility visitor entry/exit
To ensure constant vigilance of security in the environment we
constantly perform assessments. Daily vulnerability scans and
audits are performed to ensure that adequate security measures
are in place. The vulnerability scans are performed by trained
individuals who understand the impact as well as assess the
results. These scans are performed both internal and external to
the network. Any findings of sufficient security vulnerability are
remediated within 24 hours.

WHITE HAT REALITY CHECK

We also regularly perform penetration tests - a series of
exercises performed from outside the system to determine
if there are any exploitable openings or vulnerabilities in the
network. In particular, it uses the known techniques and attacks

Logs are archived and retained in a secure location for a

of hackers to verify that the network is safe from unauthorized

minimum of 12 months.

penetration. We employ an independent third party to conduct

We also log the following significant events:

CA key life cycle management events, including:

Key generation, backup, storage, recovery, archival,
and destruction

Cryptographic device life cycle management events

CA and Subscriber certificate life cycle management
events, including:

Certificate Applications, renewal, rekey, and revocation

Successful or unsuccessful processing of requests
Generation and issuance of Certificates and CRLs

penetration tests on our network.

The threat landscape is rapidly evolving as CAs come under
increasing pressure from external attacks. Now, more than
ever, it is critical to partner with a CA vendor who has network
infrastructure security measures in place to defend itself, and
your data from emerging cyber-threats.

What Does the Future Hold?

Criminals and state-sponsored hackers have figured out what
website owners also need to realize: not all CAs are equal.
Some CAs are more vulnerable than others, and it is becoming
increasingly worthwhile for hackers to exploit that vulnerability.

As cloud applications start to take over from traditional desktop

The CA you choose has to have an infrastructure that is up to the

programs, the mass of data that needs to be kept secure keeps

task, along with the means to act both proactively and reactively

growing and including new types of critical information. Your

to any threat. Their security has to be extensive and varied. They

customers trust is paramount, but a bad choice of CA could

have to have their eye on every link in the chain. The stakes are

see your business risk the exposure of not only your customers,

too high to settle for less.

but also your own internal data, from mail and documents to
spreadsheets and unified communications.
Recent attacks have also revealed that hackers use a variety
of means, big and small, to try to penetrate CAs systems. CAs
must keep evolving to ensure they are ahead of the game, for
their own sake as well as that of their clients.

About Thawte
Protect your business and translate trust to your customers with high-assurance digital certificates from Thawte, the worlds first
international specialist in online security. Backed by a 17-year track record of stability and reliability, a proven infrastructure, and worldclass customer support, Thawte is the international partner of choice for businesses worldwide.

To learn more, contact our sales advisors:

Via phone
US toll-free: +1 888 484 2983
UK: +44 203 450 5486
Deutschland: +49 69 3807 8908
France: +33 (0)1 57 32 42 68

Email sales@thawte.com
Visit our website at
http://www.thawte.com/ssl

Protect your business and translate

trust to your customers with highassurance digital certificates from
Thawte, the worlds first international
specialist in online security. Backed by
a 17-year track record of stability and
reliability, a proven infrastructure, and
world-class customer support, Thawte
is the international partner of choice
for businesses worldwide.

2013 Thawte, Inc. All rights reserved. Thawte, the thawte logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Thawte, Inc. and its subsidiaries and
affiliates in the United States and in foreign countries. All other trademarks are property of their respective owners.
UID XXX/11/13