A bit about SSL certificates: How to choose and how to get
On July 20, Google announced that Chrome’s browser would no longer be trusted as SSL certificates issued by a certification authority (CA) WoSign and its subsidiary StartCom. As explained in the company, the decision is associated with a number of incidents that do not meet high CA standards, in particular, issuing certificates without authorization from the IT giant.
Earlier this year, it also became known that organizations responsible for issuing certificates would have to begin to take into account special DNS records. These records will allow domain owners to determine the “circle of persons” who will be allowed to issue SSL / TLS certificates for their domain.
All these solutions are to some extent associated with an increase in the number of hacker attacks and phishing sites. Encrypted connections to HTTPS websites are becoming more common on the Internet. Certificates not only allow you to encrypt data sent between the browser and the web server, but also to certify the organization that owns the site. In today's article we will see what types of certificates are available and touch on the issues of obtaining them.
')
/ Flickr / montillon.a / cc
All SSL certificates use the same data protection methods. Asymmetric encryption algorithms are used for authentication (public-private key pair), and symmetric (private key) is used to preserve confidentiality. However, they differ in the method of verification: any certificate must be verified by a certification authority in order to make sure that it belongs to a correct and authorized site. There are several types of certificates.
The first type of certificates are certificates with domain validation (Domain Validated). They are suitable for non-commercial sites, as they are confirmed only by the serving site of the web server to which the transition was made. The DV certificate does not contain any identifying information in the organization name field. Usually there is the number "Persona Not Validated" or "Unknown".
To verify the person requesting a certificate, the certificate authority sends an email to the email address associated with the domain name (for example, admin@yourdomainname.com). This is done in order to make sure that the person who requested the certificate is indeed the owner of the domain name. Google doesn’t need to prove to the public that www.google.com is owned by it, so it can easily use simple certificates with domain validation (however, the IT giant still uses OV certificates, which are discussed further below).
Other verification options include adding a TXT record to the DNS or placing a special file on the server that can be read by the CA. This type of certificate is the cheapest and most popular, but is not considered to be completely secure, as it contains information only about the registered domain name. Therefore, they are often used for protection on internal networks or on small websites.
The second type of certificates is called Organization Validated, or certificates with organization verification. They are more reliable than DV, because they additionally confirm the registration data of the company that owns the online resource. The company provides all the necessary information upon purchase of the certificate, and the CA then directly contacts the representatives of the organization to confirm it.
The third type is Extended Validation , or an extended verification certificate that is considered the most reliable. It first appeared in 2007 and is needed for websites that conduct financial transactions with a high level of confidentiality. In this case, the entire browser address bar will be highlighted in green (therefore, they are called “with a green bar”). Plus in the green area will be the name of the company.
How different browsers inform users about the availability of a certificate can be found here .
Note that if the user is redirected to a third-party site, confirmed by a certificate with extended verification, for making payments and processing transactions, then the usual OV certificates will suffice.
EV certificates are useful if you need to “tightly” associate a domain with a physical organization. For example, Bank of America and the domain bankofamerica.com. In this case, a certificate with verification of the organization ensures that the resource really belongs to the bank, where the user can physically deposit their money - this is at least convenient for users.
Moreover, EV certificates protect against attacks using phishing sites, as was the case with the Mountain America Credit Union. The attackers managed to get a legal SSL certificate for a copy of the website of the credit institution. The fact is that the bank used the domain name macu.com, and the attackers used the name mountain-america.net and, when submitting the application, “hung out” an innocent-looking website. After receiving the certificate, the site was replaced with a phishing resource. EV-certificates seriously impede the implementation of such a "focus" - at least the address of the perpetrator becomes immediately known.
When issuing certificates of type OV or EV, the certification center must make sure that the company that receives the certificate really exists, is officially registered, has an office, and all of these contacts are workers. Evaluation of the organization begins with the verification of its official state registration. In Russia, this is done using the register of legal entities presented on the FTS website .
After receiving the application for the certificate, the CA sends the forms with questions about the organization that you need to fill out and sign. Their signatures and seals are put by the head of the company and the chief accountant. After that, the scanned documents are sent back to the certification center, where they are checked for the identifiers of the Incorporation and the TIN.
If the provided data fully satisfy the certification center employees, a certificate is issued. If you need to carry out the legalization of documents, you will have to send scanned images of the requested documents by e-mail to a certification authority.
Beforehand, it is necessary to clarify whether translation of these documents and notarization of the translation is required, as well as notary certification of the notary. Instead of an apostille to confirm the authority of a notary, you can inform the certification center of the corresponding link on the website of the Federal Notary Chamber . Both translation, and notarial services, and apostille will require some additional expenses and organizational efforts, therefore, until confirmation of the need for these actions by a certification authority, it is not worthwhile to engage them.
CAs can issue EV certificates to government agencies, but the latter must meet several requirements. First, the existence of the organization must be confirmed by the administrative-territorial unit in which it operates. Secondly, the organization should not be located in a country where the activities of the CA issuing the certificate are prohibited. Also, the state structure itself should not be represented in any of the lists of prohibited organizations.
At the same time, we note that there are also international agencies that can verify the official documents of the company and act as certifiers of its legal existence. The most famous of these agencies is Dun & Bradstreet . After checking the organization, D & B issues a digital identifier - DUNS (Digital Universal Numbering System) - which can be referenced to confirm the legality of the organization.
Making an SSL certificate of type OV or EV will require some expenses from the organization wishing to receive it. However, the result of all efforts will be to increase the reputation and level of customer confidence in the organization on the Internet.
In general, to encrypt data sent between the web server and the user's browser, one certificate is enough. However, if you look at the certification path of the google.ru resource, you can see that there are as many as three.
When visiting many sites, for example, banks or railway ticket offices, users want to be sure not only that the connection is secure, but that the opened site is correct. To certify this fact one certificate is not enough. It is necessary for a third party (certificate authority) to confirm that a certificate issued specifically for this site is used to protect the connection.
If someone “B” has certified the identity of “A” and you trust “B”, then the problem is solved.
If you do not know "B", then he can report that he knows "B."
The length of the identity chain is unlimited. The main thing is that there should be someone whom the user trusts. Moreover, historically and technologically it was the case that a number of certification authorities were most recognized in the IT field. Therefore, a concerted decision was made to call their cryptographic certificates root and always trust such signatures.
The list of root certification authorities and their public keys is stored on the user's computer. If a chain of successively signed certificates completes the root certificate, all certificates included in this chain are considered confirmed.
Finally I would like to say that in addition to the designated graduation of certificates - DV, OV, EV - there are other types of certificates. For example, certificates may differ in the number of domains for which they are issued. Single-domain certificates (Single Certificate) are bound to a single domain specified at the time of purchase. Multi-domain certificates (such as Subject Alternative Name, Unified Communications Certificate, Multi Domain Certificate) will be valid for a larger number of domain names and servers, but for each name that is included in the list above the indicated number, you will have to pay extra.
There are also sub-domain certificates (such as WildCard), which cover all the subdomains of the domain name specified during registration. Sometimes you may need certificates that will simultaneously include several subdomains in addition to the domains. In such cases, it is worth acquiring certificates like Comodo PositiveSSL Multi-Domain Wildcard and Comodo Multi-Domain Wildcard SSL . Note that in this case, you can also purchase a regular multi-domain certificate, in which you simply specify the required subdomains.
You can get an SSL certificate yourself: a pair of keys for this is obtained through any generator, for example, free OpenSSL . Such secure communication channels can be easily used for internal needs of the company: for the exchange between network devices or applications. However, for use on an external website, you need to purchase an official certificate. In this case, browsers will not display messages about an insecure connection, but will be calm about the data being sent.
PS Some materials on the topic from our blog:
Earlier this year, it also became known that organizations responsible for issuing certificates would have to begin to take into account special DNS records. These records will allow domain owners to determine the “circle of persons” who will be allowed to issue SSL / TLS certificates for their domain.
All these solutions are to some extent associated with an increase in the number of hacker attacks and phishing sites. Encrypted connections to HTTPS websites are becoming more common on the Internet. Certificates not only allow you to encrypt data sent between the browser and the web server, but also to certify the organization that owns the site. In today's article we will see what types of certificates are available and touch on the issues of obtaining them.
')
/ Flickr / montillon.a / ccAll SSL certificates use the same data protection methods. Asymmetric encryption algorithms are used for authentication (public-private key pair), and symmetric (private key) is used to preserve confidentiality. However, they differ in the method of verification: any certificate must be verified by a certification authority in order to make sure that it belongs to a correct and authorized site. There are several types of certificates.
The first type of certificates are certificates with domain validation (Domain Validated). They are suitable for non-commercial sites, as they are confirmed only by the serving site of the web server to which the transition was made. The DV certificate does not contain any identifying information in the organization name field. Usually there is the number "Persona Not Validated" or "Unknown".
To verify the person requesting a certificate, the certificate authority sends an email to the email address associated with the domain name (for example, admin@yourdomainname.com). This is done in order to make sure that the person who requested the certificate is indeed the owner of the domain name. Google doesn’t need to prove to the public that www.google.com is owned by it, so it can easily use simple certificates with domain validation (however, the IT giant still uses OV certificates, which are discussed further below).
Other verification options include adding a TXT record to the DNS or placing a special file on the server that can be read by the CA. This type of certificate is the cheapest and most popular, but is not considered to be completely secure, as it contains information only about the registered domain name. Therefore, they are often used for protection on internal networks or on small websites.
The second type of certificates is called Organization Validated, or certificates with organization verification. They are more reliable than DV, because they additionally confirm the registration data of the company that owns the online resource. The company provides all the necessary information upon purchase of the certificate, and the CA then directly contacts the representatives of the organization to confirm it.
The third type is Extended Validation , or an extended verification certificate that is considered the most reliable. It first appeared in 2007 and is needed for websites that conduct financial transactions with a high level of confidentiality. In this case, the entire browser address bar will be highlighted in green (therefore, they are called “with a green bar”). Plus in the green area will be the name of the company.
How different browsers inform users about the availability of a certificate can be found here .
Note that if the user is redirected to a third-party site, confirmed by a certificate with extended verification, for making payments and processing transactions, then the usual OV certificates will suffice.
EV certificates are useful if you need to “tightly” associate a domain with a physical organization. For example, Bank of America and the domain bankofamerica.com. In this case, a certificate with verification of the organization ensures that the resource really belongs to the bank, where the user can physically deposit their money - this is at least convenient for users.
Moreover, EV certificates protect against attacks using phishing sites, as was the case with the Mountain America Credit Union. The attackers managed to get a legal SSL certificate for a copy of the website of the credit institution. The fact is that the bank used the domain name macu.com, and the attackers used the name mountain-america.net and, when submitting the application, “hung out” an innocent-looking website. After receiving the certificate, the site was replaced with a phishing resource. EV-certificates seriously impede the implementation of such a "focus" - at least the address of the perpetrator becomes immediately known.
When issuing certificates of type OV or EV, the certification center must make sure that the company that receives the certificate really exists, is officially registered, has an office, and all of these contacts are workers. Evaluation of the organization begins with the verification of its official state registration. In Russia, this is done using the register of legal entities presented on the FTS website .
After receiving the application for the certificate, the CA sends the forms with questions about the organization that you need to fill out and sign. Their signatures and seals are put by the head of the company and the chief accountant. After that, the scanned documents are sent back to the certification center, where they are checked for the identifiers of the Incorporation and the TIN.
If the provided data fully satisfy the certification center employees, a certificate is issued. If you need to carry out the legalization of documents, you will have to send scanned images of the requested documents by e-mail to a certification authority.
Beforehand, it is necessary to clarify whether translation of these documents and notarization of the translation is required, as well as notary certification of the notary. Instead of an apostille to confirm the authority of a notary, you can inform the certification center of the corresponding link on the website of the Federal Notary Chamber . Both translation, and notarial services, and apostille will require some additional expenses and organizational efforts, therefore, until confirmation of the need for these actions by a certification authority, it is not worthwhile to engage them.
CAs can issue EV certificates to government agencies, but the latter must meet several requirements. First, the existence of the organization must be confirmed by the administrative-territorial unit in which it operates. Secondly, the organization should not be located in a country where the activities of the CA issuing the certificate are prohibited. Also, the state structure itself should not be represented in any of the lists of prohibited organizations.
At the same time, we note that there are also international agencies that can verify the official documents of the company and act as certifiers of its legal existence. The most famous of these agencies is Dun & Bradstreet . After checking the organization, D & B issues a digital identifier - DUNS (Digital Universal Numbering System) - which can be referenced to confirm the legality of the organization.
Making an SSL certificate of type OV or EV will require some expenses from the organization wishing to receive it. However, the result of all efforts will be to increase the reputation and level of customer confidence in the organization on the Internet.
Certificate Chains
In general, to encrypt data sent between the web server and the user's browser, one certificate is enough. However, if you look at the certification path of the google.ru resource, you can see that there are as many as three.
When visiting many sites, for example, banks or railway ticket offices, users want to be sure not only that the connection is secure, but that the opened site is correct. To certify this fact one certificate is not enough. It is necessary for a third party (certificate authority) to confirm that a certificate issued specifically for this site is used to protect the connection.
If someone “B” has certified the identity of “A” and you trust “B”, then the problem is solved.
If you do not know "B", then he can report that he knows "B."
The length of the identity chain is unlimited. The main thing is that there should be someone whom the user trusts. Moreover, historically and technologically it was the case that a number of certification authorities were most recognized in the IT field. Therefore, a concerted decision was made to call their cryptographic certificates root and always trust such signatures.
The list of root certification authorities and their public keys is stored on the user's computer. If a chain of successively signed certificates completes the root certificate, all certificates included in this chain are considered confirmed.
Other types of certificates
Finally I would like to say that in addition to the designated graduation of certificates - DV, OV, EV - there are other types of certificates. For example, certificates may differ in the number of domains for which they are issued. Single-domain certificates (Single Certificate) are bound to a single domain specified at the time of purchase. Multi-domain certificates (such as Subject Alternative Name, Unified Communications Certificate, Multi Domain Certificate) will be valid for a larger number of domain names and servers, but for each name that is included in the list above the indicated number, you will have to pay extra.
There are also sub-domain certificates (such as WildCard), which cover all the subdomains of the domain name specified during registration. Sometimes you may need certificates that will simultaneously include several subdomains in addition to the domains. In such cases, it is worth acquiring certificates like Comodo PositiveSSL Multi-Domain Wildcard and Comodo Multi-Domain Wildcard SSL . Note that in this case, you can also purchase a regular multi-domain certificate, in which you simply specify the required subdomains.
You can get an SSL certificate yourself: a pair of keys for this is obtained through any generator, for example, free OpenSSL . Such secure communication channels can be easily used for internal needs of the company: for the exchange between network devices or applications. However, for use on an external website, you need to purchase an official certificate. In this case, browsers will not display messages about an insecure connection, but will be calm about the data being sent.
PS Some materials on the topic from our blog:
Source: https://habr.com/ru/post/334278/
All Articles