GlobalSign interview...

Hello Paul, thank you for taking the time to chat with me. We haven’t been offering SSL certificates long so I’d love if you’d answer a few questions and share your experience and knowledge with our readers.

We’re constantly badgering our customers about keeping safe on the Internet, advocating two-step verification, domain privacy, and now SSL certificates. All four SSL certificates will validate a website and secure online transactions, but the Organisation (OV) and Extended (EV) require proof of online identity. Would you explain ‘proof of online identity’ and why it’s important?

SSL is very much at the forefront of everyone’s minds as online fraud increases and end users become more security aware. SSL is a very important step in assuring that any data transmitted via a website will be encrypted and hence stay safe from prying eyes. But SSL is more than just encryption, the higher levels which you describe (OV and EV) also allow companies to prove their identity to their website visitors. The Certificate Authority will verify the company’s identity and existence and include the verified details in the SSL Certificate so they are visible to website visitors. Users want to know their data will be encrypted indeed, but they mainly want to know who it will be sent to – OV and EV certificates allow them to do just that, and as such they are a significant advantage when it comes to building customer trust.

Our customer base is predominantly SMBs; we also have customers with portfolios containing 1000+ domain names, along with hobbyists with a single name for their blog or start-up website. We’ve had requests from across the board so what would you say to our customers with regard to why, regardless of their size, they must use SSL certificates?

The whole industry is moving towards SSL encryption by default. There are a number of drivers behind this trend, such as compliance requirements, new ways for browsers to flag unsecured websites and increased threats. But the most important one of all is the concern that end users have for their privacy. As such SSL is no longer “nice-to-have” to secure websites, it is a “must-have” to encrypt everything on the Internet.

We're committed to securing the Internet and one of our big initiatives is giving every customer with a domain name on our system or transferred to us, a free Alpha certificate. Along with SSL certificates, what else is GlobalSign doing to help customers recognise the threats and take action?

GlobalSign has launched several initiatives to encourage the use of security and SSL best practices. All our SSL Certificates include a phishing detection service throughout the lifetime of the Certificate. We help customers avoid SSL/TLS vulnerabilities on their web servers via our free SSL checker by detecting implementation errors and providing remediation tips. Beyond the certificates themselves, we are also heavily involved in defining regulations and driving the adoption of PKI security standards across a number of industries.

We also want to make security as visible as possible, and include a free clickable site seal with all our SSL Certificates so website owners can show their customers that they care about their security and privacy.

For those not wise to PKI security standards; the Public Key Infrastructure (PKI) is the set of policies and procedures that maintain secure ecommerce and Internet security. They stress the importance of authentication, i.e., verifying the identity of users and machines.

The protection your SSL certificates offer against phishing could deter Google from declaring sites unsafe for visitors and penalising, or even blacklisting them. One of the big reasons we partnered with GlobalSign is the fact that you're the only Certificate Authority that provides detection of phishing attacks. How do you detect the attacks and what should a user do if they receive an alert?

We operate phishing checks on all certificate orders, using knowledge that we have built from years of operating in the industry. To take this security one step further, we have also partnered with leading Internet Security Service Provider Netcraft to offer professionally validated alerts so customers are made aware of any attacks detected on their website. Timely notification is key so the pages can be taken down before the company reputation suffers. Our alert notifications provide customers with remediation steps so that website owners can regain control of their compromised site before more harm is done.

In a recent post, I highlighted the importance of using SHA-2 SSL certificates, and that Google is already posting alerts on sites displaying the soon to be redundant SHA-1. You’ve been championing this for over a year, would you explain what the issue is with SHA-1?

As computing power increases and with recent advances in cryptographic attacks, the security algorithms used for encryption must also be updated to keep providing the same level of security. Some researchers have predicted that SHA-1 algorithms could be cracked in just a few years from now. Although this is based on calculations with a number of unknown variables, this still shows that we should migrate sooner rather than later. Especially as attacks on SHA-1 could have significant consequences, as we learnt from MD5.

We made SHA-2 options available to our customers early on and now offer them by default in order to encourage best practices across the board. From a user experience point of view, this is becoming all the more important as browsers are downgrading websites that utilise SHA-1 Certificates.

I think Google’s alert messages are a gutsy move; there’s a chance that when it declares a website broken, the user will assume the fault is with the browser and go elsewhere. Do you think users really understand what these alert messages mean and are there more things that we can do to spread the word?

Browser warnings are becoming more prominent and display clearer information as to the risks associated with by-passing them. Browsers play a key role in getting the information across to the end users, and we are glad to see an alignment between browsers and CAs in promoting the best level of online security.

We’re only offering SHA-2 but we’ve received requests from users with SHA-1 SSL certificates wanting to upgrade. Is it a simple procedure?

We’ve wanted to make it really easy for customers to upgrade. This can be done through a simple reissuance of their current certificate. Most importantly we do this for free so there is no obstacle for customers when it comes to utilising up-to-date security. The SSL checker tool can also be used to help identify the SHA-1 culprits, and prioritise replacements.

You referred to MD5; if I understand correctly, MD5 was an early cryptographic hash function, typically used to verify data integrity. It showed weaknesses in the mid-90s and was replaced by SHA-1.

Will SHA-2 SSL certificates become vulnerable as cryptographic attacks become stronger?

In the same way that we had to move to SHA-1, now SHA-2, we can presume that that we will also have to move away from these advanced algorithms to stronger ones as computers' processing speeds become ever faster. It’s important to know however that as of today, no cryptographic weakness has been found in SHA-2. But the industry’s focus will always be to stay ahead of the threats.

So, SHA-3 is still a work in progress? When do you see it rolling out and what will be improved?

The choice of algorithm is always about finding the right balance between security and compatibility. The National Institute of Standards and Technology (NIST) is already working on the next generation SHA-3 algorithm. It is currently under review and will most likely become the next standard when SHA-2 reaches the end of its lifecycle. But it will be some time before we see widespread adoption, so users should not delay and move to SHA2 immediately.

Google, will look favourably at sites with HTTPS and possibly improve page ranking. With website owners desperate to get to the top of page one in search results, do you see other search engines adopting the same policy?

Google has always been guarded when it comes to revealing the algorithms used to determine search rankings. The fact that they announced that SSL security is utilised as a ranking signal is a great step towards promoting security, and there is no doubt that other search engines will follow suit. We’ve already seen Google adopting search over HTTPS by default, and Bing followed shortly after.

Mozilla are also advocating the phasing out of SHA-1 but I notice they're still using a SHA-1 SSL certificate. What do you think of this mixed-message?

The downgraded user interface will mainly affect certificates with a late expiry date (post 2016). The certificate in question expires in 2015 so will naturally be renewed with a more secure algorithm. It’s also important to remember that large companies will most likely use a high volume of certificates and plan to transition in stages, prioritising certificates with an expiration in 2017 first, then 2016 and sooner.

Final question… Where do you see security going in the future? I read your blog post discussing trusted identities taking centre stage in 2015 – would you give us a synopsis.

Security affects everything and everyone. Besides SSL by default, we’re also going to see a boost in authentication solutions, as too many breaches keep reminding us that username and password combinations are not enough.

The Internet of Things (aka Internet of Everything) is bringing exciting developments but also new requirements, whereby all things – from smart cities to smart appliances now require trusted identities.

In this context, identity will become a collaboration enabler in addition to a security requirement. Identity and access management (IAM) solutions will remain critical to business processes and expand to the extended enterprise.

We’ll continue to help our partners and customers meet the new requirements with high Public Key Infrastructure (PKI) and Identity Access Management (IAM) services that safeguard security and enhance productivity.

Thank you Paul, highly valuable information. We’re all worried about online fraud, and this has brought about an increased awareness of Internet security and the part SSL plays – you’ve confirmed that SSL certificates are no longer a 'nice-to-have', but a 'must-have'.

GlobalSign, founded in 1996, is a provider of identity services for the Internet of Everything (IoE), mediating trust to enable safe commerce, communications, content delivery, and community interactions for billions of online transactions occurring around the world at every moment.

GlobalSign’s solutions are designed to address the massive scalability demanded by the emerging $14.4 trillion IoE market, where the ability to make secure networked connections among people, processes, data and things, will require that every “thing” has a trusted identity that can be managed. The company has offices in the U.S., Europe and throughout Asia.