• What are SSL and Digital Certificates?

    Secure Socket Layer (SSL) is a protocol developed by Netscape in 1996 which quickly became the method of choice for securing data transmissions across the Internet. SSL is an integral part of most Web browsers and Web servers and makes use of the public-and-private key encryption system developed by Rivest, Shamir, and Adleman.

    In order to make an SSL connection, the SSL protocol requires that a server should have a digital certificate installed. A digital certificate is an electronic file that uniquely identifies individuals and servers. Digital certificates serve as a kind of digital passport or credential which authenticate the server prior to the SSL session being established.

    Typically, digital certificates are signed by an independent and trusted third party to ensure their validity. The "signer" of a certificate is known as a Certification Authority (CA), such as VeriSign, thawte and GeoTrust.

  • When should SSL be used and what can it secure?

    There are two main online security problems that SSL certificates help solve:

    • Authentication - proving a company's (or server's) identity online and in so doing create a sense of trust and confidence in using a Web site.
    • Encryption - offering protection for the data submitted to a Web site (or between servers) so that in the event of interception, it will be unintelligible without the unique key used for decryption.

    Solving these security problems allows online business to protect against the following scenarios:

    • Spoofing - The low cost of Web site design and ease with which existing pages can be copied makes it all too easy to create illegitimate sites that appear to be published by established organizations. In fact, con artists have illegally obtained credit card numbers by setting up professional-looking storefronts that mimic legitimate businesses.
    • Unauthorized Disclosure - when information is transmitted "in the clear", making it possible for hackers to intercept the transmissions and obtain sensitive information from customers.
    • Data alteration - the content of a transaction can be intercepted and altered en route, either maliciously or accidentally. User names, credit card, and social security numbers as well as currency amounts; indeed any information sent "in the clear" is all vulnerable to alteration.

  • So what are the practical applications of SSL certificates?

    Firstly, looking at categories of data, the most common deployment is for securing transmission of financial information in ecommerce. However, with incidence of identity theft on the rise, protecting the transmission of a broad range of personally-identifiable information is becoming ever more important. This category of data would include identity and social security numbers, e-mail addresses and demographic information as well as account registration and login information.

    In terms of applications and protocols, SSL Certificates can be used to secure the following:

    • Web Servers
    • Mail Servers
    • Databases
    • FTP Sites
    • Internet Chat
    • NNTP

  • What are Code Signing and Digital Certificates?

    Code signing is the process of digitally signing executables and scripts using asymmetric encryption. A digital signature confirms that the software originated from the Publisher who signed it and that the code has not been altered or corrupted since it was signed.

    Asymmetric encryption uses a pair of complementary keys, the public key and the private key.As their names imply, one of the keys is intended to be kept by the Publisher while the other one is shared freely with the world. A Software Publisher uses the private key to encrypt a digital signature and the rest of the world can then use the corresponding public key to decrypt and analyze that signature. This signature includes a hash, which allows users of the software to verify that (a) the software really did come from the publisher as claimed, and (b) the software hasn't been modified since the Publisher released it. If the decryption is successful, they've successfully verified your identity.

    A digital certificate is an electronic trusted ID card which utilizes a digital signature to bind a public key together with respective user identity for the purpose of public trust. A Certificate Authority (CA) such as VeriSign creates, manages, distributes, and revokes digital certificates.

    In the real world, customers trust software they buy in a store because they can tell who published the product and can see whether the package has been opened or not. The Internet cannot offer the same security reassurance provided by shrink-wrapped software. With a Code Signing Certificate, your code will be as safe to install as it would be if you shrink-wrapped it and sold it off a store shelf.

  • When should Code Signing be used and what can it secure?

    A Code Signing Certificate is strongly recommended for any Software Publisher who plans to distribute code or content over the Internet or corporate extranets and wants to assure the integrity and authorship of that code. Code Signing is essential to the publisher's business for several reasons:

    • Builds customer confidence and trust
    • Protects your intellectual property and business reputation
    • Meets the requirements of platforms and network providers as well as business customers
    • Eliminates disruptive security alerts that might turn away customers or increase support inquiries
    • Helps increase market reach and adoption of downloadable software

    Code Signing is advantageous in either external or internal use case as long as the code runs on the client machine.

    Code signing supports your commercial sales and external distribution efforts by reassuring would-be users and buyers with the digital equivalent of shrink-wrap. It also satisfies the requirements of platforms, business customers, and partners.

    Even if you're focused only on internal distribution of code to users within your company, code signing is still important. Potential users will already know who you are but might not be able to run your code if your IT department requires all code to be signed.

  • So what are the practical applications of Code signing certificates?

    Many platforms and applications are supported including:

    • ActiveX controls
    • Kernel-mode code for the 64-bit editions of Windows@reg; Vista
    • Device drivers
    • Macros and VBA
    • Java Applets
    • MIDlet (J2ME™)
    • Plug-ins and other executables
    • Adobe® AIR™ applications