Checking Backgrounds Online

The authentication processes underpinning the issuance of online credentials are becoming increasingly important for web sites as cyber crime grows in sophistication and the Internet becomes a less trusted place.

In the 21^st century, people have grown comfortable with processes designed to validate certain aspects of their backgrounds.  No one expects to apply for a job, rent a flat, or procure an identity card without a reasonably thorough, albeit non-intrusive background check.  A parallel development occurred on the Web, where analogous processes for online businesses have changed a great deal in recent years.  This evolution was required to keep pace with the increasingly sensitive information exchanged over the web and the threats that arose to exploit the various vulnerabilities, technical and human, inherent to transacting business online. Businesses and users of web sites do not understand the nature of these authentication processes and the credentials granted to individuals web sites as a result of them, namely SSL certificates.

An SSL Certificate is an electronic file that uniquely identifies individuals and Web sites and enables encrypted communications. SSL Certificates serve as a kind of digital passport or credential. Typically the "signer" of an SSL Certificate is a Certification Authority (CA).  One of the key purposes of SSL Certificates is to help assure consumers that they are actually doing business with the Web site they believe they are accessing. To validate a Web site's legitimacy, CAs perform different types of investigations (similar to background checks done on individuals) before issuing a certificate. There are three commonly recognised categories of SSL authentication: domain authentication, organisation authentication, and Extended Validation (EV), and the differences in the level of security provided and trust engendered are vitally important. Even within a level, specific authentication processes vary from CA to CA-a key reason for choosing a widely-known, respected and trusted CA.

Domain Authentication

Domain authenticated certificates are the lowest form of authentication available. CAs conduct a process to verify that an entity requesting a domain authenticated certificate either owns the domain requested or has the right to use that domain name. They may also verify that the email address for the contact requesting the certificate is either listed in the WHOIS directory or meets the CA's predetermined email alias requirements. Some leading CAs, such as VeriSign, do not offer domain authenticated SSL Certificates.

Organisation Authentication

Organisation authentication is the validation process that CAs employ for ordinary SSL Certificates. CAs begin by verifying the organisation's existence through a government-issued business credential, normally by searching government and private databases. If necessary they may request such items as articles of incorporation, business licenses, and fictitious names statements. Before issuing an SSL Certificate, CAs verify a company's identity and confirm it as a legal entity, confirm that it has the right to use the domain name included in the certificate, and verify that the individual who requested the SSL Certificate on behalf of the company was authorised to do so. It is important to note that certification practices for these types of certificates differ widely between CAs, so customers should establish exactly what checks are performed during authentication prior to purchasing a certificate.

Extended Validation (EV) Authentication

EV has the highest level of authentication available with a SSL Certificate. EV authentication adds structure and controls to the organisation authentication process. It begins with an in-depth validation of an entity's authenticity starting with a signed acknowledgement of agreement from the corporate contact. A company registration document may also be required if the CA is unable to confirm the organisation's details through a government database. A legal opinion letter may also be requested to confirm other details about the organisation as well as the corporate contact requesting the certificate. The process represents little burden for legitimate organisations but is a substantial obstacle for a fraudster.

In the past, indicators of a SSL session such as "https" in the URL or the gold lock icon were sufficient to quell most consumer fears by providing assurance that sensitive data transmission is protected by sufficient levels of encryption. But even the strongest encryption is no longer enough today because of a very different problem. Internet thieves have become adept at posing as genuine e-businesses. They purchase SSL Certificates-which unfortunately are all too readily available from CAs that perform flimsy background checks-and use them to trick customers into sending them sensitive information. That is why encryption is no longer enough-it does no good if the recipient of the encrypted transmission is a falsified business and proceeds to use it for identity theft or some other form of malfeasance. How are people to know if a Web site with which they are not familiar is indeed legitimate? Even if a site appears to be that of a known and trusted online business, how are people to know that it is not a clone from a clever impostor with malicious intent? In surveys, 90% of users are unable to distinguish phishing sites from legitimate ones.

To earn trust on the Internet, a business needs a reliable way to show customers that not only are their transactions secure, but that you are a legitimate business and you are who you say you are. To meet this need, security vendors and Internet browsers have combined forces to establish the EV standard, the first fundamental change in the world's secure e-commerce backbone in more than ten years.   When customers visit a Web page secured with EV, provided they are using a high-security browser, the address bar turns green. High-security browsers now comprise a majority of the browsers in use today.

Fraudsters are becoming adept at mimicking almost everything about a Web site, but without the legitimate company's EV SSL Certificate there is no way they can display its name on the address bar; the information shown there is outside of their control. They cannot obtain a legitimate company's EV SSL Certificates because of the stringent authentication process.

Even CAs themselves must satisfy more rigorous criteria in order to be eligible to issue EV SSL Certificates. They must pass regular third-party WebTrust audits confirming that they meet the requirements set out in the standards of the CA/Browser Forum, a consortium of CAs and browser suppliers. This eliminates the possibility of a feeble background check setting an impostor loose with EV.

Conclusion

One wouldn't dream of hiring an employee without a basic check of his or her background, and the authentication processes behind the issuance of SSL certificates are becoming similarly ingrained on the Web.  Online consumers and other web site users have become savvier, more sceptical, and frankly more scared. They expect businesses to protect them, and currently 84% of them believe that businesses are not doing it well enough.  The new breed of more authentication processes can go a long way in allaying their concerns while protecting your online brand and reputation.