Why GlobalSign Made the Right Move to Suspend New Certificates
By Angela West, PCWorldSep 8, 2011 5:00 pm PDT
When you work in computer security, reputation is everything. Certificate authentication authority (CA) GlobalSign on Monday suspended issuance of any new certificates pending the result of an investigation into a claim by a hacker that its security had been compromised. Their swift response maintains their reputation as a leading CA and positions them as an optimal choice for anyone looking for a CA for their business.
What Do Certificate Authorities Do?
A certificate authority issues a number of certificates that certify a secure environment for websites, code, documents, objects, email, or any other form of electronic communication or programming. The most common product that a small business would be familiar with is an SSL certificate, which GlobalSign defines as “SSL/TLS encryption and identity assurance for websites“.
SSL stands for “Secure Sockets Layer” and TSL stands for “Transport Layer Security.” Both are communications protocols for secure transmission of information over the Internet, and are most commonly used for transmission of order, payment, and identity information. A compromise of the underlying certificate authority could mean that all of this information is also compromised. This is why GlobalSign is taking the situation very seriously and not issuing new certificates until the situation is thoroughly investigated.
A seal or sign that a website is protected by such a certificate usually goes hand-in-hand with the purchase of a certificate product. In their promotional video below, GlobalSign talks about their Website Passport and reasons why businesses should have this kind of protection on their websites.
Should I Consider a Certificate for My Website?
If you engage in any form of payment on your website, you should absolutely consider this for your business. Most certificate authorities, including GlobalSign, cite higher conversion rates as a direct result of installing a security certificate and corresponding trust seal on their website.
According to this independent paper from Milena Head and Khaled Hassanein at the DeGroote School of Business, consumers “have significant experience in the traditional market, but may not be as familiar with or comfortable in the online marketplace. Individual consumers will differ in their ‘trusting’ personality traits and the pace at which they attain the trust required to start transacting with an online vendor.”
What Exactly Happened to Make GlobalSign Suspend New Certificates?
A hacker who goes by the handle “Comodohacker” has claimed that he has access to GlobalSign’s systems as well as those of three similar companies. He broke into another certificate authority, DigiNotar, on Monday. Due to other hacks against Diginotar in the past, most browsers no longer accept DigiNotar certificates. According to an update given to us by Steve Waite, their chief marketing officer, GlobalSign has appointed Fox-IT for help with the investigation, due to their previous involvement in investigating the DigiNotar hack.
Should I Be Concerned if GlobalSign Is My CA Provider?
If anything, I would be reassured if GlobalSign were my CA. They have publicly stated that they are taking the situation seriously. The reality is that certificate authorities are in the business of Internet security, and as a result are constantly defending against hackers. In addition, Comodohacker has claimed that they have access to GlobalSign’s systems, and this claim has yet to be properly verified by the company.
What Factors Should Be Considered When Choosing a CA Provider?
There are many certificate authorities out there, and choosing one over another can be difficult. There are several factors to consider when making the choice. The extent of the identity verification when the certificate is initially issued is a very important factor. Certificate authorities should not just trust the information given to them by companies, but consult third-party records such as Dun & Bradstreet for independent verification.
Cost is another factor. A bargain-basement certificate authority simply does not have the funds for the resources needed to guard against security threats. In the case of a cheap Internet security certificate, you really do get what you pay for. Most certificate authorities will offer appropriately priced solutions for smaller businesses. If the price is too low when compared to similar companies, alarm bells should go off and you should investigate further before purchasing the cheap solution.
You should also consider who will be performing installation and installation costs. If you are not technically inclined, chances are good that the CA will offer an installation service. These should be factored into any quotes.
Test Before You Buy
Certificate authorities will gladly give you examples of companies and websites that are using their services. Test a few of them using Chrome, Firefox, and Internet Explorer to make sure that each browser accepts their certificate. Go with the company with the least amount of issues with their certificates.
GlobalSign made the right choice to suspend new certificates based on Comodohacker’s threat. It put their company in front of the problem and positioned them as a company that could be trusted to manage security threats properly. I would be much more concerned if a certificate authority did not show the same level of concern or any concern at all. The Comodohacker and other such threats do not diminish the role of security certificates. If anything, they illustrate the dire need for such a service, especially in today’s hacker-ridden climate.
Angela West dreams of opening a Fallout-themed pub featuring wait staff with Pip-Boys. She’s written for big insurance companies, small wildlife control businesses, gourmet food chains, and more. Follow her on Twitter at @angelawest.