Sectigo_Email-SIgning-Body_02

Maintain DFARS compliance with S/MIME

Over the course of our ongoing S/MIME series, we’ve discussed what S/MIME is, why it’s important, and how it can protect users from certain types of email-based attacks. We’ve also discussed how it can help organizations ensure compliance with privacy and security regulations such as HIPAA

Most people have heard of HIPAA. After all, health care is important to almost everyone. However, it’s likely that fewer have heard of the Defense Federal Acquisition Regulation Supplement, better known as DFARS . The regulation is designed to protect controlled, unclassified information in non-federal systems and organizations. At its core, this is not dissimilar to what HIPAA was designed to do, except that DFARS protects national security and defense information instead of protecting

The threat of cyberattacks is very much felt by the defense industry. Defense-related intellectual property, such as designs for U.S. military equipment, are incredibly valuable targets. Government agencies have been forced to improve their cyber defense capabilities and use their considerable resources to protect vulnerabilities against potential attacks. In response, cybercriminals have increasingly focused on defense contractors to gain access to information of strategic national importance.

While defense contractors themselves are hardly easy targets, DFARS creates actionable regulations to ensure that sensitive information is handled with proper care and security. By adding to the original Defense Federal Acquisition Regulation requiring encryption of all data at rest or in transit, DFARS creates a security baseline that all contractors must adhere to. Because email is as essential to defense contractors as it is to any other industry, effective encryption tools must be put in place before doing business with the government.

Like HIPAA, this regulation does not mandate the use of email certificates, but it is the best way to accomplish the goal. Certificate-protected emails remain encrypted from the time they leave the sender until they are opened in the recipient’s inbox, encrypting the data that is transmitted over the Internet and any associated mail servers. In addition, emails and attachments stored on mail servers are also encrypted at rest to ensure full compliance with DFARS.

The security protocols associated with the defense industry can be challenging, but S/MIME certificates make DFARS compliance as easy as possible. With comprehensive end-to-end encryption, S/MIME ensures complete protection of critical information transmitted via email and proper compliance with federal regulations.

0_3

Why automation is important for companies that want to use S/MIME email certificates

Encryption and digital signatures are the best way to ensure the integrity and data protection of email communication. The advantages are:

  • The knowledge of the email really came from the sender, including the identification of the organization represented
  • Enable checking that email content and attachments have not been changed after sending
  • Knowing that no one else could read the email on the mail server or while it was being sent because it was only encrypted for the sender and recipient

These skills fight spear – phishing attacks such as business email compromise (BEC ) and help meet a number of key global requirements including BIPR, HIPAA, the US Department of Defense DFARS and others.

By using S/MIME for encryption, both senders and recipients can use their existing S/MIME-enabled email applications with their familiar features. Alternative approaches require separate email applications or web portals with different user experiences.

It is tempting for the company to use S/MIME without automated certificate management in order to save money by having employees share the burden of certificate management. For example, Sectigo received this offer from a customer who was trying to use the manual management typical of S/MIME email certificates:

We deployed the secure email certificates to our end users four months ago and had difficulties deploying them. Although we created a step-by-step guide for end users to download and install their own certificates, we received numerous support requests to complete the setup. Is it possible to switch to Zero Touch to simplify the certificate management and installation process? YES!

The price of automation is a good investment that is less than the expected cost of support calls or the loss of productivity for employees who manually manage their own S/MIME certificates. Or worst of all, employees not using certificates and the associated compliance issues.

Common reasons for support calls are:

  • If the new certificate is not published in the company’s global address list, senders of Outlook and ActiveSync email applications will not be able to find the certificate required for encryption for the recipient. The employee either spends a lot of time trying to figure out how to publish the certificate or the senders do not use encryption.
  • If the global address list is not used, employees must send signed emails to each other so that the senders can extract the recipients’ certificates from the signed email. This reduces effectiveness as you cannot send an encrypted email until the recipient sends you an email first. As soon as a recipient renews a certificate, the sender has an older, expired certificate. If stakeholders even realize they are sending information in plain text via email, new certificate holders will have to resend signed emails to anyone they want to be able to send them encrypted messages.
  • Without automation, each employee who needs an S/MIME certificate must visit a self-service web portal where they identify themselves using a shared secret, click through 5-10 screens, download the private key and certificate in a PKCS #12 file, and open the file to import the certificate to their desktop. Outlook users must then configure the program to use the newly installed certificate.
  • Every employee must back up the private encryption key manually so that it can be restored if it is accidentally destroyed. Otherwise, emails and attachments encrypted with this key cannot be decrypted. This support problem has two specific forms:
    • The employee forgets to back up the key, and if the private key is destroyed, past emails are not available for access.
    • The employee saves the private key together with other data files on a USB drive. This private key is then potentially exposed to an attacker who can force the encryption that protects the private key from theft.
  • To set up a mobile device, the employee must struggle to export the private key and certificate from Outlook and then transfer the file with the private key and certificate to the mobile device. There, the employee must import the private key and certificate into the email application, which leads to helpdesk calls due to the many complicated methods that vary depending on the email application.
  • Once the private key and certificate are installed on the mobile device, the employee must figure out how to configure the email application to use the newly installed certificate. This often leads to a helpdesk call.
  • If the certificate expires in 1-3 years, the employee must have sufficient knowledge to renew the certificate on multiple devices before the certificate expires. Otherwise, all recipients will receive a notification that the digital signature is invalid.
  • After the renewal of certificates, emails from this sender use different keys on the email server. Without automation, the employee must manually ensure that the entire key history is available or some emails cannot be decrypted.
DV_Browsers

The hidden price for free DV certificates

Everything is chargeable, including free domain validated (DV) certificates. In exchange for CHF / EUR 0.00, you will exchange your time and technical know-how along with valuable additional functions that only a commercial DV certificate can offer.

Why do you get a certificate for free?

Here are the top three reasons why everyone, from bloggers to entrepreneurs, needs SSL on their website.

  • Security:Includes encryption between website visitors and your website
  • Trust:Website visitors are more likely to get involved if they have confidence in your brand
  • MarketingIncludes improved rankings on Google and other search engines

These three reasons are important to keep an eye on the decision between free and commercial DV certificates. Keep in mind that your future brand credibility will depend on all three of the above when we look at the benefits of each option.

Advantages of free DV SSL certificates

Free. It is hard to believe that free SSL certificates also bring the added value you expect. It does not mean that you do not pay in any other way, such as B. time for renewals or scripts, lack of functionality and other security functions.

Fast. Since the only necessary check for your control of the domain name is required, the free DV certificate is usually issued quickly, provided you have the option of receiving e-mails at specially specified addresses, changing your DNS or opening special files To place your website for the validation process.

Nobody loses anything; there is no “skin in the game.”

Article by John Horst, CISSP® – ISSAP®, NQV

Advantages of commercial DV-SSL certificates

Installation and support. Commercial DV certificates are supplied with technical and practical installation support. That means you don’t have to figure out terms like CSR, private keys, root certificates, and many others. With expert access, you can quickly deploy SSL to your website or application. If you experience any problems, contact a support team to guide you through the process.

Trustmark. Commercial DV certificates offer you a level of public trust called the trust seal. Seals of trust offer your website visitors more than a lock symbol in their browser by promoting that you are using a reputable company for website security. A / B split tests have shown a sales increase of up to 42% when using trust seals.

Warranty. Commercial DV certificates have guarantees that protect website owners from business losses. For just a few dollars a month, website owners reduce liability and protect themselves against financial losses caused by errors or problems related to SSL encryption.

Longer lifespan. Commercial DV certificates can be purchased for a year or two, so you spend less time ordering and providing certificates. Who would like to generate a CSR every 90 days and reinstall a free DV certificate?

Affordable protection. Commercial DV-SSL certificates offer for only EUR 0.24 dollars [1] per day the certainty, support, trust of website visitors, guarantees and encryption so that your website visitors can trade comfortably on the Internet.  

Commercially secured. Commercial DV certificates are managed by for-profit companies with teams of security researchers, proven support and protocols to ensure reliable and reliable service. You have a legitimate interest in ensuring that both your certificate and the systems that manage it are legitimate entities.

 

Certificate management tools. With commercial DV certificates, you can reissue, revoke and manage your SSL certificates via a web interface. This means that you don’t need any command line or API knowledge to perform basic tasks (since you are using free DV certificates).

 

PCI scan. An additional bonus when choosing a Sectigo DV certificate is that these certificates include a 45-day trial version of the Sectigo PCI scan service. This tool is vital for ecommerce websites so they can meet the needs of the credit card industry.

Let’s do a quick comparison between a free DV certificate and a commercial DV certificate.

  FREE DV   COMMERCIAL DV  
life span 90 days 1 to 2 years
warranty No Yes
trust logo No Yes
Installation and support No Yes
Cert Management Tools command line Webinterface
Supported by Donation Reliable earnings
costs your time $ 0.24 a day

A free DV certificate has a visible cost advantage in the short term, but has a hidden price. Adding SSL is the right step for any website, blog, or shopping cart. Choosing the right option for your DV certificate will affect your reputation, conversion rate, time, and the security of your website. Nobody can say that after looking at the table above, safe and free actually don’t go hand in hand.

MIME_secure_email3

How to protect yourself from a phishing attack with S/MIME

Our first S / MIME contribution offered a comprehensive overview of the challenges that companies face with email security, as well as an introduction to the S/MIME technology that can be used to address many of these vulnerabilities. In this post we will go into more detail about how S / MIME can be used to combat spear phishing attacks.

The term business email compromise (BEC) is known in the cybersecurity industry, but only refers to a certain type of spear phishing attack. For fraudulent emails that pretend to be from a known or trusted sender, the intended goal of a spear phishing attack is to ask the victim to take action on their behalf.

This action can be as simple as uncovering confidential information or as complex as completing a financial transaction. What distinguishes spear phishing attacks from standard phishing attacks is that spear phishing emails are tailored to the recipient, which gives them an additional degree of apparent authenticity and makes identification difficult.

How do attackers make these emails appear legitimate? A variety of tactics are available to you.

  • Most of the time, the emails contain a forged header so that it looks like the message originates from the company. As we discussed in the previous blog, these attacks are usually triggered by spoofing the “From” field in an email. This makes it incredibly difficult for even the most conscientious employee to identify themselves as fraudulent.
  • In general, they are trying to embody the CEO, company president, or any other C-level executive whose authority an entry-level or mid-level employee would likely not question.
  • Detail-oriented attackers can even generate an entire fake email chain below the message to make it appear even more legitimate. And although employees should be trained to watch out for warning signs, people are fallible.

Attackers want to exploit the fallibility. When the CEO of a company asks a financial officer to make a transfer, does that employee feel comfortable raising flags? If the same email is sent to a dozen different finance professionals, will everyone be able to identify the email as fraudulent?

Only one mistake is required – an employee approving a transfer to a fraudulent account – and this money is almost certainly never going to be reclaimed. Fraudsters are smart, and any money they receive is quickly stowed away where law enforcement officials find it virtually impossible to reach.

S/MIME solves this problem in the simplest way: by revealing the true identity of the e- Mail Sender does not incorrectly display. Without S / MIME, there is nothing – really nothing – that the average email user can look at to distinguish a real sender identity from a fake sender identity. With S / MIME, employees only need to look for the correct email signature for an incoming message to know that the sender has been verified. That doesn’t mean employees don’t have to worry anymore – it’s still important to be vigilant. Remember, a slip can be all you need to cause a serious violation. However, it provides a way to check the integrity of messages (and any attachments they contain) that cannot be tampered with.

S/MIME solves this problem in the simplest way: by revealing the true identity of the e- Mail Sender does not incorrectly display. Without S/MIME, there is nothing – really nothing – that the average email user can look at to distinguish a real sender identity from a fake sender identity. With S/MIME, employees only need to look for the correct email signature for an incoming message to know that the sender has been verified. That doesn’t mean employees don’t have to worry anymore – it’s still important to be vigilant. Remember, a slip can be all you need to cause a serious violation. However, it provides a way to check the integrity of messages (and any attachments they contain) that cannot be tampered with.

after-SMIME

Why email traffic is vulnerable without S/MIME

It is impossible to run a business without email. It is a simple fact. Cross-industry companies rely on e-mail as an indispensable communication method to keep employees in contact with customers, partners, providers and of course with each other.

However, email communication also has disadvantages. Messages and attachments can be spied on, modified, and forged, exposing businesses and organizations to a variety of spear phishing attacks that can result in the loss of business secrets, confidential information, or even money from corporate accounts. What’s worse, these incidents can also put companies in a non-compliance status.

The potential for damage is very real here. According to a recent FBI report, $ 12 billion in fraud has been lost since 2013 due to 78,000 Business Email Compromise (BEC) attacks – a special form of spear phishing attack that causes spear phishers to lose money is sent. And those are just the incidents that have been reported, suggesting that the actual number is likely to be much higher. In fact, the losses from BEC attacks are higher than with any other form of cyber-enabled crime. This is a clear indication that email security must be one of the main concerns of companies in the area of ​​cyber security.

Spear phishing attacks come in many forms, but the most common form is to pretend to be someone in the organization – probably as a CEO, CFO, or other leader. Employees in departments such as finance or human resources may receive an email urgently requesting that a payment be processed or that confidential information be disclosed. The sender claims to be unavailable to confirm the authenticity of the request.

This may seem straightforward, but cybercriminals can be underhanded. You may have heard of typographical errors in which criminals register domains that differ from legitimate domains, and register email addresses that appear authentic at first glance. The truth is that in many cases this is not even necessary. E-mail sender addresses are perfectly fake. This means that the phisher can simply insert the email address that is to be displayed in the sender field in the appropriate position in the email header. This is shown to the recipient. Even eagle-eyed people who guard against typing errors and other simple phishing methods may not recognize fraudulent emails if they come from a legitimate source.

Don’t worry, there is good news. Over the next few weeks, the Sectigo team will break down how companies can use digital certificates to deal with these (and similar) attacks. Secure e-mail certificate technology (S / MIME) for Internet mail expansion can solve the problems and weaknesses associated with e-mails, thus protecting a company from espionage and protecting its employees from e-mail-dependent social – Improve engineering attacks. S / MIME differs from standard email protection programs such as antivirus programs in that it checks the sender and does not simply analyze an email for threats it has received. It also protects the content of emails during transmission.

How does S/MIME works?

There are three different ways to improve the security profile of email communications.

  • It verifies the authenticity of the sender and confirms that the sender is the one the person claims.
  • S/MIME also encrypts all content and attachments in e-mails and thus prevents malicious software from intercepting and reading the e-mail communication during transmission.
  • The protocol also ensures integrity, ensures that sent e-mails remain unchanged, and gives recipients the certainty that the messages and attachments received are identical to those sent.

This ongoing blog series explores specific ways that companies and organizations can use S/MIME technology, including to prevent spear phishing and to comply with information security regulations such as GDPR and HIPAA. As more and more companies use this important technology, understanding the many applications helps to get a more complete picture of the value of S/MIME.

0_1 (1)

Secure your e-commerce website with Secorio

E-Commerce website owners feel the heat, because at the beginning of the Christmas season, traffic will increase significantly as people start shopping. The increase in data traffic makes e-commerce companies and their customers attractive targets for cybercriminals.

  • POS credit card reader
  • Redirect payment gateways
  • Infect malware downloads

Credit card fraud is not a new threat to e-commerce buyers, but cardholders often don’t know how hackers use their personal information to make money. Ecommerce owners can’t ignore the fact that hackers are watching your activity, and the next target can be you. Needless to say, you are endangering your website and your business by not following the best security practices and being PCI compliant.

Point of sale credit card processing

When a card is swiped through a reader, code passes the card’s details to the hackers who have already imported malware into the machine’s checkout process.

The attackers inject the wipers with malware after reading the vulnerabilities on the website. Most attackers are well informed and have done their homework. You create a backdoor entry for the website and the owner cannot see that something is wrong. The hackers will not deface the homepage of the website, but will maintain a loop there to track the activity. When data is fed in, it goes into the hands of the hacker.

Doubtful payment gateway

As mentioned above, hackers are intelligent and know how a process works. No matter how good or how good a payment gateway is, hackers will find a way to jeopardize it. The hacker can clone the website payment gateway page so that users can tell no difference between the hacker page and the original website. In the end, the buyer sends the payment to the questionable gateway. Interestingly, the inventory of the e-commerce website marks sales.

This is where PCI compliance is so important for e-commerce sites. E-commerce websites have traditionally opted for a strong firewall. So if hackers try to access your website, they will be blocked and cannot make any changes.

Virus or malware downloads

Malware attacks are not e-commerce specific, they attack everyone and every company, but malware infection can be devastating for the e-commerce website, especially during the shopping season. Hackers are one step ahead. Only if they have access to an e-commerce website will they place malicious codes that infect visitors’ computers. When buyers shop, they receive malware with every click.

Google and antivirus companies can now easily identify whether malicious code is running in the background of a website. If malicious code is found, the website will be blacklisted. Users receive warnings when they visit the e-commerce website. Due to poor traffic, owners need to look at their website to determine the next step.

How to secure e-commerce sites

Hackers are often a step ahead of business owners and develop their strategy to avoid detection. As always, the common factor through which hackers can compromise websites is the vulnerability. These vulnerabilities could be a poor third-party CMS or an outdated patch. Therefore, make sure that you have closed these gaps on your website.

Search your website for weaknesses or signs of compromise. However, note that hacks are not visible in the source code. These files are aimed at your customers and are rather hidden in the website database. The best way to protect yourself is through cloud-based security with depth detection to protect you from all potential risks.

0_1 (2)

10 most common web application errors

The most common mistakes to avoid when developing a web application are the following:

The development of web applications is a lengthy process, since a user-friendly app is created from the start, which at the same time ensures high performance and web security. For all developers, the security of web applications is an area that is partly beyond the control of the creator, since it cannot even be guessed who is at the other end of the HTTP connection.

Therefore, you have to struggle with too many web security problems to create a safe and secure app. Some of these concerns concern data security and the possibility that fake data may get into the database. Below are 10 of the most common vulnerabilities on the web that users can avoid.

1. Allow invalid data to enter the database

All inputs provided by your users must be included with all defenses. Failure to validate what you receive could result in you paying a high price for possible cross-site scripting, SQL injection, command injection, or a similar security threat.

2. Focus on the system as a whole

This is evident when considering large custom projects where a team of developers split the work to secure different areas of the app. In fact, it is not entirely clear with the project as a whole, even if the individual safety of these parts could lead the class. Indeed, this is a popular method of causing multiple submissions, making your data extremely vulnerable to attackers. You must therefore ensure that your app is still secure even when all components are brought together.

3. Establish personally developed security methods

Developers usually assume that they will do better with a proprietary algorithm or method. This is because they believe that if it is more authentic, it could be increasingly safer since it is unfamiliar to hackers. In reality, however, authentication is not only an expensive process, but also increases the chance of creating security gaps that can be discovered very easily. Proven libraries are considered the best way to do this whole process.

4. Treat security as the last step

Security is not an easy thing to insert towards the end of a process. It must be built in as the basis for the entire project and should not be ignored as another function that can be developed at any time. In such scenarios, your application is prone to misconfigurations and other vulnerabilities such as SQL injections.

5. Develop password storage in plain text

Internet security can be further improved by securely storing passwords. Saving passwords in plain text format is the most common and dangerous error and should be avoided. Only passwords and important data should be stored in the database.

6. Create weak passwords

As a developer, if you are concerned with the security of the app, you need to create clear rules for passwords.

7. Store unencrypted data in the database

The unencrypted storage of all important details is one of the most common mistakes in connection with data storage. As a result, user data is compromised whenever your database is compromised. If your database is under attack, encryption is considered the only way to prevent a large loss of information. All developers should take into account that hackers can attack anything that is stored online.

8. Depending on the customer side

On the client side, the code is heavily dependent on a developer losing control of the critical functions of the app, thereby losing a lot of control over security.

9. Be too optimistic

A good developer should always be aware of the fact that developing web security is a never-ending process due to the constant possibility of vulnerabilities. Therefore, a good developer should always be ready to find and fix the bug.

10. Allow variables using the URL path name

Placing variables in the URL is a very serious mistake that anyone can make, because normally all files with important data that your app contains can be downloaded freely.

These common vulnerabilities on the web represent the fact that security should come first for all developers, regardless of whether they are working on a startup system or developing a large business project.

0_1 (3)

How do I show the customer that my website is secure?

From online shopping to managing our finances to social networking, we are completely dependent on various websites or apps.

We exchanged our “trust” for these amenities rather naively.

Would you buy products from a private person in a dark side street? Or do you trust your shopping center, which, in addition to trained security staff, also follows internal monitoring guidelines?

This is exactly what we do when we don’t check the security of a website. We are misled by false websites that steal our private information and hard earned money.

How can my customers determine that my website is secure and that I protect your data?

Let’s start at the top of your browser as it contains some pointers! You can see the web address in the address bar. Secure websites have an address that contains an “S” at the end of HTTP. The “S” stands for “Secure”. You also have a lock symbol in the browser. So if you see HTTPS and a padlock, the connection is encrypted and secure.

But what about the company behind the website? How do you know it’s not a criminal with a secure connection? Well, a new system makes this easy, modern web browsers display color and company names in the address bar so you can tell that the site is trustworthy.

This works as follows: Organizations that rely on security can have their websites checked and validated by licensed, impartial companies, the so-called Certificate Authority. This ensures that the organization and website are trustworthy and use a secure connection. If the site passes the tests, the certification authority issues an EV SSL certificate, and only sites with these certificates are colored in the address bar, including the company name and address.

As with traffic signals, colors such as red and green indicate stop and go. If green, the location is safe. If red, you should not be accessing this site. Because of this verification process, criminals cannot get the certificates they need to display the colorful information in the address bar. So if you see a site with green information in the address bar, you can be sure that it is real.

If you’re reading the news or checking the weather now, security doesn’t matter. So don’t worry if there is no HTTPS, padlock or green bar. The most important thing is security when you send confidential information such as credit card information or passwords.

For website owners, you can use Code Guard to scan malware and remove it from your website. With this tool, you can be sure that your website and your customers’ information is safe.

0_0

What does website security mean?

Website security is an important component in protecting and securing websites and servers. Websites are checked for possible vulnerabilities and malware using website security software. This software can detect and eliminate hacks, Trojans and many other threats. Website security software notifies the user when problems occur on the website and provides solutions to correct them.

Corporate networks are always at high risk of security vulnerabilities, and ensuring website security is critical. If the network is at risk, the server and website are also at risk. This could allow malware to enter the corporate network and initiate malware activity

Features of a good website security plan

  • Malware-Scan
  • Virus Removal
  • Manual removal of malware and hackers
  • File change monitoring
  • Blacklist / spam monitoring
  • Remove the blacklist
  • safeguards
  • Extended DDoS mitigation
  • Web Application Firewall (WAF)
  • Content Delivery Network (CDN)
  • Site Seal

Site security issues

Your website processes customer personal information, such as bank cards, social security numbers, and other important information such as credit card information. There are many website security issues that can occur in a variety of ways:

Website source code

If the website code is not well developed, there are many security issues. If your web servers and web apps are complex to manage, weaknesses, errors and security gaps are a sure thing. The more dynamic the website, the more opportunities for errors and security holes.

Site visitors access

There are websites that create a space for visitor interaction, similar to a chat room or another option to make the visitor visitor-friendly. However, this increases the likelihood that the website is vulnerable. If there is a way that visitors can access corporate resources, it becomes more difficult to identify and distinguish between real and malware-targeted visitors. Therefore, restricting or stopping the unauthorized villains is a challenge.

Website Security Software

Website security software protects the website from cyber attacks. The website security service implements managed security as a service model. This software is used by providers to provide a website security service, typically as a managed security model (SaaS).

Malware is no different

Malware is not biased. Security attacks are automated and all websites are vulnerable to attack. There is no specific destination on the websites. Website security strengthens the website’s reputation and customer trust. This ensures that the website is protected by malware and customer data is well protected. Website security attacks are becoming more sophisticated Hackers find new and innovative ways to attack a website. Malware was developed and developed to identify vulnerable websites. The intensity of such malicious activity is clear: while some malicious attacks are designed to steal the data, other malicious activities need to expand in the longer term.

Better performance

Website security software improves overall website load time. The Content Delivery Network stores the content of the website on several globally available servers. Consistent scanning and instant malware removal Website security ensures regular and thorough scanning of websites at the server level. Extended security monitoring

It’s not just about infecting the website. Website security monitors relevant websites (DNS, SSL, WHOIS) to ensure that customers or visitors are not redirected to a malicious website and secures customers against the disclosure of private information.

Absolute malware prevention

It blocks malware even before it tries to infect the website. The website security system uses the Web Application Firewall (WAF) to check and verify all incoming data and ensures that the malicious code is filtered out before it attacks.

285-jir-60871-nam-eye-id-392451-jpeg1

Seven steps to issuing EV SSL

SSL- Certificates create a secure communication tunnel by connecting between one Encrypt data sent by the client and a server or between two servers to prevent cyber criminals from changing data.

There are three standard types of SSL certificates that are issued by certification authorities: DV OV and EV. Extended Validation (EV) SSL certificates offer the highest security that the domain is NOT one bad actor is assigned. When users see a green address bar or a company address bar next to the URL, they can see that they are in a trusted domain.

The process by which a certification authority (CA) issues an EV SSL certificate is stricter than that of DV or OV certificates. The certification body verifies that the requesting company is a legal entity and the validation requires sufficient disclosure of business information to perform this verification. There is an additional human intervention where the entity is contacted by phone to verify their identity. Processing can take several days, depending on the availability of the applicant during the telephone verification phase.

Before issuing an EV-SSL certificate, the certification body contacts the organization by phone to verify their identity.

Authentication process for EV certificates

EV shows users that the website has the best security measures in place to protect transactions and ensure compliance with standards and regulations.

Before issuing an Extended Validation Certificate, the certification body goes through a seven-step process based on the guidelines set by the CA / Browser Forum.

  • EV registration: Checks whether the applicant is actually an employee of the company or organization and that he / she is authorized to continue this certificate purchase.
  • Organization Authentication: Checks government registration information to verify that the applicant organization is a legally registered entity and that it is active at the registered location.
  • Business existence: Checks whether the organization has been in existence for more than three years. Otherwise, additional documents may be required (to complicate the process for cybercriminals trying to increase shell companies to obtain EV certificates).
  • Physical address: Checks whether the organization has a real physical address in its registration country.
  • Phone Verification: Checks that the organization’s phone is a working phone number.
  • Domain authentication: Checks whether the organization is the legal owner of the registering domain.
  • Last review call: CA calls the applicant organization’s contact to review the EV application.

Given the care and disclosure of information associated with this, it is statistically far more likely that cybercriminals will apply for DV or OV certificates than they will undergo the verification process to acquire an EV certificate.

While no Certificate Authority can detect the “intent” of an organization requesting an SSL Certificate, the process described above strives to verify the legitimacy and authenticity of the domain at the time of issuance. EV is one of the best (visible) trust indicators today.

For more information on EV SSL certificates, contact info@secorio.com or your personal account manager at Secorio.