SSL Overview for Resellers

Web Security Identity Verification Services Signing Services Enterprise Security

SSL Overview for Resellers

What We’ll Cover

ƒ SSL Handshake 101

ƒ Market Opportunity for SSL ƒ Obtaining an SSL Certificate

Web Security Identity Verification Services Signing Services Enterprise Security

Understanding SSL

Understanding SSL

Secure Sockets Layer (SSL)

securing data transmissions on the Internet ƒ Provides a secure channel in two ways:

ƒ Authenticates the Web server to the client

ƒ Encrypts all the data being sent

ƒ 4 Key components to enable SSL

ƒ Digital Certificate

ƒ Public/Private Key Pair

ƒ Session Key

ƒ Certificate Authority (CA)

ƒ SSL is established using the SSL handshake

Secure Sockets Layer (SSL)

ƒ https URLs specifies HTTP over SSL

ƒ Connects to port 443 instead of 80

ƒ Identical in all other respects to HTTP ƒ All https data is sent via SSL

ƒ Even the requested URL is encrypted

ƒ SSL interacts poorly with virtual hosts that have 1 IP for multiple domains

ƒ SSL connection is established before any HTTP data is transmitted

ƒ SSL handshake down without the guidance of the Host header

ƒ Web server doesn’t know which certificate to present

ƒ Must set up each domain with a unique IP address

Digital Certificates

to:

ƒ Authenticate the Web server

ƒ Encrypt/Decrypt the data passed

ƒ Standard format for all digital certificates is X.509 V3

ƒ Helps define the fields contained in the certificate

ƒ Main components of a certificate include:

ƒ Web server’s public key

ƒ Fully qualified domain name the certificate was issued to

ƒName of the holder of the key

ƒ CA’s digital signature

Digital Certificates (cont.)

ƒ Key Components of an SSL certificate

ƒ The domain the certificate was issued to

ƒ Which certificate authority issued the certificate

ƒ The validity period of the certificate

Digital Certificates (cont.)

ƒ Key Components of an SSL certificate

ƒDigital signature of the

certificate-issuing authority so that a recipient can verify that the certificate is real

Public/Private Keys

generated

ƒ CSR is an unsigned certificate which is submitted to the CA

ƒ In SSL they are used to authenticate the identity of the Web server and encrypt and decrypt the session key ƒ Private key is kept secret (and very secure) and stays

on the Web server

ƒ Public key is part of the digital certificate and is available to all

ƒ Public key must be matched to the corresponding private key for a digital certificate to work

Session Key

ƒ Sent to the server via an encrypted message using the server’s

public key

ƒ Used to encrypt and decrypt information exchanged during the SSL session

ƒ Randomly generated and changes each time

ƒ 128 bit is the standard length for the key (though some browsers have started to move towards 256-bit)

Certificate Authority

ƒ Accepts SSL certificate applications from entities

ƒ Authenticates those applications

ƒWebTrust compliant

ƒFollow steps and procedures outlined in CPS

ƒ Issues certificates

ƒ Maintains status information about the certificates

ƒValidity period, Certificate Revocation Lists, etc…

ƒ Invest in the technologies and resources to support SSL certificates and assure their certificates are trusted by Web browsers

Web Security Identity Verification Services Signing Services Enterprise Security

SSL Handshake

101

SSL Handshake

101

Firewall Firewall User has a User has a standard standard browser browser Web Server Web Server Website has a Website has a X.509 Certificate X.509 Certificate Signed by a Signed by a trusted 3

trusted 3rdrd _party:party:

SSL - setting up the

session

SSL - setting up the

session

Firewall Firewall User enters User enters website URL website URL Web Server Web Server Browser sends Browser sends URL to www URL to www

SSL - setting up the

session

SSL - setting up the

session

Firewall Firewall Web Server Web Server Server certificate is sent to browser

SSL - setting up the

session

SSL - setting up the

session

Firewall

Firewall

Web Server Web Server

Serial Number: 6cb0dad0137a5fa79888f

Validity: Nov.08,2004 Nov.08,2004

Subject / Name / Organization

Locality = Internet Organization = GeoTrust, Inc. Organizational Unit = GeoTrust Class 2 CA - Individual Subscriber

Status:Valid

Public Key:

ie86502hhd009dkias736ed55ewfgk 98dszbcvcqm85k309nviidywtoofk kr2834kl

Signed By: GeoTrust, Inc.: kdiowurei495729hshsg0925h309afh Certificate Includes

SSL - setting up the

session

SSL - setting up the

session

Firewall Firewall Web Server Web Server The browser The browser generates a symmetric generates a symmetric key of specified key of specified strength strength

This will be the This will be the

“

“session keysession key””

SSL - setting up the

session

SSL - setting up the

session

SSL - setting up the

session

SSL - setting up the

session

The browser encrypts The browser encrypts

the

the ““session keysession key”” with the

with the webserverwebserver’’ss public key

public key

(found in the certificate) (found in the certificate)

1010111100000111010101010 1010111100000111010101010

SSL - setting up the

session

SSL - setting up the

session

The browser sends the The browser sends the

encrypted encrypted “

“session keysession key”” to the webserver to the webserver

0101001010101011001101001 0101001010101011001101001

Firewall Firewall Web Server Web Server The webserver The webserver decrypts encrypted decrypts encrypted “

“session keysession key”” with its private key with its private key

0101010101011101010101111 0101010101011101010101111

SSL - setting up the

session

SSL - setting up the

session

Firewall Firewall Web Server Web Server 0010101011001010101110001 0010101011001010101110001

The secret key has now The secret key has now

been shared been shared

The encrypted session The encrypted session

is now established is now established

SSL - setting up the

session

SSL - setting up the

session

How the SSL Handshake Works

ƒ The Web server sends its public key with its certificate ƒ The browser authenticates the server by checking the:

1. Is today's date within the validity period

2. Is the issuing CA a trusted CA

3. Does the issuing CA's public key validate the issuer's digital

signature

4. Does the domain name in the server's certificate match the

domain name of the server itself

ƒ The browser then uses the server’s public key to encrypt a random session key and sends it to the server with the encrypted data on the Web page

How the SSL Handshake Works

private key and uses the session key to decrypt the data from the Web page

ƒ The web server sends back the requested Web page data encrypted with the session key

ƒ The browser decrypts the Web page data using the session key and displays the information

SSL Enabled

ƒ Browsers initiate SSL sessions when they connect to a Web server over https://

ƒ Gold lock icon located in the lower right hand corner contains the certificate details and lets Web site users know the site is secure

Lock symbol means site is secure and encryption is When a browser connects

to a site that uses SSL – the URL switches to https://

Web Security Identity Verification Services Signing Services Enterprise Security

Market Opportunity for SSL

SSL Market Data

ƒ Approximately 850,000 active digital certificates

ƒ About 1.4% of the 51m domains have an active digital

certificate

ƒ 25% annualized growth in number of active certificates over the

last 12 months

Applications of SSL

collecting financial and personal data

ƒ eCommerce sites

ƒ Banking applications

ƒ User/Member login pages

ƒ Sign-up pages

ƒ VPN access

ƒ Web access to email

ƒ Sensitive business information (business partners, remote

offices)

ƒ Secure server to server communications to improve data and network security

ƒ FTP sites

Value of SSL Certificates

ƒ Spoofing/phishing

ƒ Eavesdropping

ƒ Data alteration

ƒ SSL certificates safeguard against these threats by providing:

ƒ Confidentiality to keep data secret from unintended listeners

ƒ Authentication to identify with whom you are dealing

ƒ End-to-end message integrity to ensure the information has not

Online Fraud

Other SSL Market Influencers

ƒ Significantly increased Web usage and market and consumer awareness of SSL

ƒ Technological enhancements have made dedicated servers and SSL more affordable

Web Security Identity Verification Services Signing Services Enterprise Security

Obtaining an SSL Certificate

Obtaining an SSL Certificate

Setting Up SSL

1. Company generates the CSR (public/private key pair and

certificate) on the Web server

2. Company submits the CSR and other order information to CA

through some type of online enrollment process

3. CA authenticates the Web server/and or Company and verifies

that the requestor is authorized to order a certificate for that domain

4. CA signs the certificate (adding their trust to it for browser

recognition) and issues the certificate to the requestor

Self-Signed Certificates

ƒ Companies generate their own certificates by setting up their own certificate authority

ƒ Extra efforts and resources needed to administer and manage certificates

ƒ Large up front costs (additional hardware, software, etc..)

ƒ Not automatically recognized by a user’s browser

ƒUser asked if they want to accept the certificate and secure

connection

Trusted Certification Authority

ƒ Browser automatically recognizes the certificate and allows a secure connection

ƒ High ubiquity: root already present in all popular Web browsers

ƒ CA guarantees either the identity of the Web server or organization

ƒ Long-term stability

ƒ WebTrust compliant

ƒ Practices and controls audited yearly for compliance

Dedicated SSL vs. Shared SSL

ƒ One single fully qualified domain name per certificate

• More credibility with the customer

-Customer won’t experience a domain name change in middle of shopping experience (i.e. go from http://www.mydomain.com to

https://sharedssl.com/mydomain or https://mydomain.sharedssl.com if the wildcard method is used)

• Reduces Risk of low-customer confidence

• Same user experience as phishing

ƒ Consumers are more likely to purchase from a site that uses a dedicated SSL certificate

ƒ Own the certificate and can transfer it with them

ƒ Display site seal with information specific to your domain

ƒ No extra hardware or software to install

Web Security Identity Verification Services Signing Services Enterprise Security

Questions

Questions