What is the difference between SSL certificates from Namecheap? Encryption, verification and trust
Translator's note. After my post about Hosting Cafe there were two comments ( 1 , 2 ) that there are no free certificates on HTTPS.menu , and just that day an article by the founder of Namecheap about free SSL was published. Initially, the article was called “Facts about Free SSL” (“The Facts About Free SSL”), but a couple of days after publication, the article was renamed and slightly edited.
(Note: After receiving valuable feedback from the network security community, we edited this article to clarify our point of view, and also removed minor issues that distracted from the main ones, namely, the significance of testing with SSL certification and the need to explain to users that Due to developments in the field of automation of SSL-certification, the presence of the letters “httpps” and the image of the lock in the address bar may not indicate security as before.Thanks for your valuable feedback. We are always We listen to it and are always open to discussing issues.)
')
Namecheap is focused on providing security and data protection for all users. We believe that the trend towards encrypting virtually all web traffic through the automated issuance of SSL certificates is a positive change on the Internet. Preventing MITM attacks, as well as other attempts to intercept data, is in the interests of all parties. This is an indisputable fact. However, there is a significant difference between encryption and security. This may seem trivial to advanced users or specialists, but for consumers it is relevant information.
We think that verification of the certificate holder is an important issue that requires special attention and discussion. Recent developments in the field of automating the issuance of SSL certificates are technically awesome. However, it should clarify to users the specifics of the new security model and which signals to look for when making security decisions. Look for the letters "https" and the image of the lock in the address bar - that is, indicators that were traditionally considered reliable, may already be not so reliable when it comes to user security.
With the help of Namecheap paid certificates, users receive both verification confirmation and encryption. Basic confirmation occurs at the time of payment by credit card. Then, the certification authority conducts additional domain security checks through various APIs involving third parties before issuing (this happens even when issuing the most inexpensive of the domain verification certificate we offer - DV).
In addition, each time we receive information about illegal activities and / or fraud associated with a certificate, Namecheap cooperates with a certification authority in investigating suspicious sites. Often, certification authorities quickly take steps to revoke a certificate. This third party recall feature is very important. It provides an additional level of protection after issuing a certificate.
Certificates of automated certificate authorities are uniquely useful for personal and other non-commercial sites that need to provide users with the ability to encrypt normal data. However, when it comes to situations where information requires a higher level of protection, for example, in commerce, when doing business over the Internet, when transferring personal data, we believe that additional levels of verification are critical to ensuring security at the level required by the consumer. Paid Organization Verification (OV) and Extended Validation (EV) certificates involve many additional verification levels, while automated certificates provide only proof of ownership.
This is the main difference. The true value of paid SSL certification is in confirming that the certificate holder is who he claims to be, and not just that he controls the domain from which the application was submitted. When issuing an OV certificate at the second stage of the audit, documents are requested from the relevant state bodies (for example, licenses, certificates, charters, tax permits), which adds an additional level of confidence that the applicant not only controls the domain, but also has documents confirming that the one who claims to be. EV certificates are issued after even more stringent verification from third parties, providing additional confidence in the person being certified.
When it comes to gaining trust, verification is a decisive factor. The user has an additional indicator of reliability when he sees the seal of protection of a reputable brand in the field of security on our website. It indicates that your company not only provides data encryption, but has been verified in various sources by a reputable service provider. In addition, taking into account recent changes, we believe that it is necessary to conduct additional explanatory work with users to determine reliable protection indicators when making security decisions. Part of the responsibility for this must be borne by browsers. However, everyone should take on some of the burden, including automated services for issuing SSL certificates.
SSL certificates issued by proprietary services provide the level of protection, flexibility and support that commercial sites need. Regular certificate authorities offer certificates valid for up to three years. They support Wildcard certificates, offer guarantees, as well as support for implementation. When collaborating with a non-automated certification authority, you can choose from various levels of verification: organization verification (OV) and extended verification (EV), in addition to domain verification (DV). At the OV and EV protection levels, before issuing a certificate, the certification authority carries out an extensive audit of the site-related business, and quickly takes steps to detect fraudulent or malicious activity. Support is also an important aspect. Only paid services offer customer service and support on an ongoing basis.
Free certificates are a great option for personal blogs and other simple sites where financial transactions are not conducted and confidential data is not collected. However, companies that are engaged in e-commerce or collect customer data that require a certain level of protection and reliability should, of course, use OV or EV SSL certificates issued by well-known and reliable certification authorities. These products provide not only encryption, but exactly the level of encryption, verification and reliability that business and commercial sites need to ensure user security.
(Note: After receiving valuable feedback from the network security community, we edited this article to clarify our point of view, and also removed minor issues that distracted from the main ones, namely, the significance of testing with SSL certification and the need to explain to users that Due to developments in the field of automation of SSL-certification, the presence of the letters “httpps” and the image of the lock in the address bar may not indicate security as before.Thanks for your valuable feedback. We are always We listen to it and are always open to discussing issues.)
')
Namecheap is focused on providing security and data protection for all users. We believe that the trend towards encrypting virtually all web traffic through the automated issuance of SSL certificates is a positive change on the Internet. Preventing MITM attacks, as well as other attempts to intercept data, is in the interests of all parties. This is an indisputable fact. However, there is a significant difference between encryption and security. This may seem trivial to advanced users or specialists, but for consumers it is relevant information.
We think that verification of the certificate holder is an important issue that requires special attention and discussion. Recent developments in the field of automating the issuance of SSL certificates are technically awesome. However, it should clarify to users the specifics of the new security model and which signals to look for when making security decisions. Look for the letters "https" and the image of the lock in the address bar - that is, indicators that were traditionally considered reliable, may already be not so reliable when it comes to user security.
Significance of verification and revocation of certificates by third parties
With the help of Namecheap paid certificates, users receive both verification confirmation and encryption. Basic confirmation occurs at the time of payment by credit card. Then, the certification authority conducts additional domain security checks through various APIs involving third parties before issuing (this happens even when issuing the most inexpensive of the domain verification certificate we offer - DV).
In addition, each time we receive information about illegal activities and / or fraud associated with a certificate, Namecheap cooperates with a certification authority in investigating suspicious sites. Often, certification authorities quickly take steps to revoke a certificate. This third party recall feature is very important. It provides an additional level of protection after issuing a certificate.
Certificates of automated certificate authorities are uniquely useful for personal and other non-commercial sites that need to provide users with the ability to encrypt normal data. However, when it comes to situations where information requires a higher level of protection, for example, in commerce, when doing business over the Internet, when transferring personal data, we believe that additional levels of verification are critical to ensuring security at the level required by the consumer. Paid Organization Verification (OV) and Extended Validation (EV) certificates involve many additional verification levels, while automated certificates provide only proof of ownership.
This is the main difference. The true value of paid SSL certification is in confirming that the certificate holder is who he claims to be, and not just that he controls the domain from which the application was submitted. When issuing an OV certificate at the second stage of the audit, documents are requested from the relevant state bodies (for example, licenses, certificates, charters, tax permits), which adds an additional level of confidence that the applicant not only controls the domain, but also has documents confirming that the one who claims to be. EV certificates are issued after even more stringent verification from third parties, providing additional confidence in the person being certified.
When it comes to gaining trust, verification is a decisive factor. The user has an additional indicator of reliability when he sees the seal of protection of a reputable brand in the field of security on our website. It indicates that your company not only provides data encryption, but has been verified in various sources by a reputable service provider. In addition, taking into account recent changes, we believe that it is necessary to conduct additional explanatory work with users to determine reliable protection indicators when making security decisions. Part of the responsibility for this must be borne by browsers. However, everyone should take on some of the burden, including automated services for issuing SSL certificates.
Announce reliability to customers with paid SSL certificates
SSL certificates issued by proprietary services provide the level of protection, flexibility and support that commercial sites need. Regular certificate authorities offer certificates valid for up to three years. They support Wildcard certificates, offer guarantees, as well as support for implementation. When collaborating with a non-automated certification authority, you can choose from various levels of verification: organization verification (OV) and extended verification (EV), in addition to domain verification (DV). At the OV and EV protection levels, before issuing a certificate, the certification authority carries out an extensive audit of the site-related business, and quickly takes steps to detect fraudulent or malicious activity. Support is also an important aspect. Only paid services offer customer service and support on an ongoing basis.
Free certificates are a great option for personal blogs and other simple sites where financial transactions are not conducted and confidential data is not collected. However, companies that are engaged in e-commerce or collect customer data that require a certain level of protection and reliability should, of course, use OV or EV SSL certificates issued by well-known and reliable certification authorities. These products provide not only encryption, but exactly the level of encryption, verification and reliability that business and commercial sites need to ensure user security.
Source: https://habr.com/ru/post/271521/
All Articles