alphaspirit - Fotolia
Certificate misuse and abuse has been a chief concern for my organization, and we're exploring ways to limit potential problems and improve SSL certificate management. What are the pros and cons of SSL certificate subscriptions? Are there certain enterprise scenarios where they would be more beneficial?
Sites that handle sensitive or personally identifiable information should already be using the secure communications protocol HTTPS to deliver their webpages so data exchanged between their servers and users is encrypted using SSL/TLS. However, website administrators are being encouraged to deploy Web server digital certificates and active HTTPS on all their sites and pages -- even if they don't transmit sensitive information -- as the authentication and encryption they provide prevents any third party from seeing, recording or tampering with the content of a user's session. For example, Google gives sites that use a 2048-bit key certificate a minor ranking boost, while the White House Office of Management and Budget has published a new standard -- "The HTTPS-Only Standard" -- recommending HTTPS on all federal websites and Web services.
There are various reasons why HTTPS isn't universally used on the Internet, but primarily it's the cost of certificate acquisition, installation, configuration and rotation. (The argument that HTTPS requires more server resources and slows down page-load times is no longer valid, as protocols like SPDY and HTTP/2 can actually reduce load times -- see a comparison here.) For enterprises, the management of a large number of digital certificates has high operational costs, but an SSL subscription service from Utah-based HydrantID is looking to change this by making SSL certificate management cheaper and easier.
A subscription to the HydrantID service gives an enterprise access to a cloud platform for easy SSL certificate management, with certain types of SSL certificates priced on a monthly basis. The aim is to allow enterprises to manage all their certificates centrally and reduce the risk of failing to renew certificates due to poorly managed internal certificate records. This type of SSL certificate management service will appeal to some enterprises as long as they have confidence in HydrantID's cloud-based system and the infrastructure behind its issuance of certificates. Confidence in certificate authorities' hierarchy of trust isn't great due to several instances of incorrect issuance of certificates by CAs, which have enabled hackers to abuse fraudulent certificates and launch a wide range of attacks, such as website spoofing, server impersonation and man-in-the-middle attacks.
An HTTPS-only Internet would offer better security and privacy for everyone, and there is certainly room in the marketplace for companies offering alternative ways of purchasing and managing digital certificates; StartSSL, for example, offers free digital certificates, as well as Class 2 and Class 3 certificates for less than $60. Whichever CA and type of certificate enterprises choose, administrators should ensure they are installed correctly, that webpages don't contain any content that is transmitted over unencrypted HTTP -- including content from third-party sites -- and implement the HTTP Strict Transport Security response header so if a user requests a page over HTTP, it is automatically upgraded by the browser to HTTPS before the request is sent.
Ask the Expert:
Have a question about application security? Send it via email today. (All questions are anonymous.)
Don't miss SearchNetworking's practical guide to SSL certificate management
Dig Deeper on PKI and digital certificates
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading