SSL (Secure Sockets Layer) - это основанный на открытых ключах протокол безопасности, реализующий безопасный канал между веб-сервером и браузером пользователя. Протокол безопасности SSL широко используется в обозревателях Интернета и серверах для проверки подлинности, целостности сообщения и обеспечения конфиденциальности.

Цифровой сертификат иногда называют цифровым паспортом либо цифровым идентификатором "digital ID". Формат, набор атрибутов, определяется стандартом "Х.509". Сертификат - цифровой эквивалент пропуска служащего, паспорта или водительских прав. Сертификат и соответствующий ему секретный ключ позволяют идентифицировать их владельца всем, кому это необходимо. В Интернет сертификат служит так же, как водительские права на дороге. Серверы Интернет могут быть настроены на разрешение работы с отдельными пользователями, обладающими сертификатами. Так же и клиентские приложения могут работать только с теми серверами, сертификатам которых клиент доверяет.

Сертификаты представляют собой цифровые документы, которые позволяют и серверам, и клиентам проверить подлинность друг друга. Они необходимы для установления между сервером и браузером на компьютере клиента соединения по протоколу SSL, при котором информация передается в зашифрованном виде. Для работы протокола SSL необходимы серверный и клиентский сертификаты. Эти сертификаты могут быть получены от доверенной для обеих сторон независимой организации, называемой службой сертификации.

Сертификаты сервера позволяют пользователю подтвердить подлинность веб-узла. Сертификат сервера содержит подробные сведения для идентификации: название организации, связанной с содержимым сервера, название организации-поставщика сертификата, а также открытый ключ, используемый для установления зашифрованного соединения. Эти сведения служат для пользователей гарантией подлинности содержимого веб-сервера и целостности системы безопасности подключения HTTP.

Стандартный сертификат, обеспечивающий SSL-защиту Вашего сервера и безопасные коммуникации с клиентами домена, делает практически невозможным перехват и просмотр Вашего трафика благодаря 128 битному, 56 битному либо 40 битному шифрованию в зависимости от возможностей браузера клиента. С другой стороны 128-битный Суперсертификат, всегда обеспечивает качественную 128 битную криптозащиту для всех версий браузеров, что гарантирует максимально-доступную на сегодняшний день степень электронной защиты Ваших данных и данных Ваших клиентов.

Можно разрешить пользователям обмениваться с сервером частными сведениями, например номерами кредитных карт или телефонами, безопасным путем с помощью шифрования. Шифрование "перемешивает" информацию перед ее пересылкой, дешифрование - расшифровывает ее после получения. Основанием для этого шифрования является протокол SSL, который обеспечивает безопасный способ установления зашифрованного соединения с пользователями. SSL подтверждает подлинность содержимого веб-сервера и пользователей, пытающихся получить доступ к веб-сервера.

Сертификаты включают ключи, используемые при установке безопасного соединения по протоколу SSL. Ключ представляет собой уникальное значение, используемое для проверки подлинности сервера и клиента при установлении соединения SSL. Открытый ключ и закрытый ключ образуют пару ключей SSL. Веб-сервер использует пару ключей для установления безопасного соединения с браузером клиента для определения уровня шифрования, необходимого для безопасной связи.

Для такого типа соединения необходимо, чтобы веб-сервер и браузер пользователя были оснащены совместимыми системами шифрования и дешифрования. В процессе обмена создается ключ шифрования (или ключ сеанса). Ключ сеанса используется как сервером, так и браузер для шифрования и дешифрования передаваемых данных.

Возможности цифровых сертификатов обуславливаются их криптозащитой: специальная математическая технология обеспечивает не только шифрование, но и аутентификацию данных (так называемый механизм «цифровой подписи»). При этом используется так называемый «механизм двойного ключа». В процессе сертификации на вашем сервере генерируются и размещаются два многоразрядных числа, связанных между собой специальной математической закономерностью. Одно из этих чисел -- секретный ключ -- недоступен ни для кого. Второе -- открытый ключ -- напротив, свободно раздается всем желающим установить безопасное соединение с вашим сайтом. Математическая связь между ключами такова, что информация, зашифрованная открытым ключом, может быть расшифрована только с помощью закрытого ключа, и наоборот. Поэтому клиент отправляя вам свои данные, может быть уверенным, что никто (включая его самого) не сможет прочитать пакет на пути к получателю. При отправке информации (например, веб-страницы) от сервера клиенту та шифруется уже секретным ключом. Если открытым ключом удалось расшифровать полученный пакет, то это означает, что отправителем является держатель соответствующего секретного ключа. Такой режим работы называют еще цифровой подписью данных.

Разумеется, как было уже отмечено выше, весь процесс использования ключей и шифрования происходит без участия пользователя, в автоматическом режиме. Технология «двойного ключа» обладает рядом преимуществ по сравнению с традиционными криптосистемами. На основе технологии двойного ключа основаны не только серверные SSL, но и другие сертификаты Thawte, как корпоративного, так и персонального пользования, например, сертификаты для электронной почты.

Важнейшей характеристикой любой криптосистемы является ее стойкость -- способность противостоять взлому в течение определенного времени. Исследуя шифровальный алгоритм, используемый в сертификатах Thawte, математическими методами можно определить приблизительное количество операций, которые необходимо проделать для «вскрытия» кода без знания ключа. Зная быстродействие современных компьютеров, легко вычислить и время, которое понадобится злоумышленнику на преодоление защиты. С ростом длины используемого ключа, измеряемой обычно в битах, сложность взлома резко возрастает. Достаточно сказать, что в проекте distributed.net для исследования одного из подобных алгоритмов с открытым ключом мобилизовано несколько десятков тысяч персональных компьютеров по всему миру, однако на раскрытие единственного ключа длиной 56 бит ушло 250 суток, а ключ длиной 64 бита остается не раскрытым с 1997 года.

В системах, использующих сертификаты Thawte, сегодня применяются ключи длиной 128 бит, причем Суперсертификаты делают шифрование с такой длинной ключа доступным даже для старых международных версий браузеров, криптовозможности которых были снижены из-за экспортных ограничений.

В протоколе SSL для шифрования информации, отправляемой клиенту, при каждом сеансе связи генерируется еще один -- сеансовый -- ключ. Это дополнительно повышает безопасность соединения: даже если бы постороннему и удалось раскрыть ключ текущего сеанса, то, во-первых, после этого ему пришлось бы преодолеть еще и криптозащиту основного сертификата, а, во-вторых, в следующем сеансе ключ будет уже другой.

Следует различать понятия «электронная подпись» и «цифровая подпись». Под электронной подписью обычно понимают любую информацию, пригодную для идентификации ее создателя -- например, файл с отсканированным факсимиле, звукозапись голоса, HTTP-запрос и т.п. Таким образом, электронная подпись не обязана содержать каких-либо средств ее защиты от подделки, являясь понятием скорее юридическим, нежели техническим. В частности, принятый в США в 2000 году закон регулирует применение именно электронных подписей.

Цифровая подпись, напротив, подразумевает применение криптотехнологий для ее защиты от подделки и от искажения данных, к которым она относится. Сертификаты Thawte могут применяться в системах цифровой подписи, обеспечивая именно такую защиту информации.

If you are interested in gaining a practical understanding of how to secure your site with a SSL certificate, downloading our Trial Certificate is a great way to get started. This certificate will give you an opportunity to experience the certificate installation process as well as determine your required server configuration. test a SSL certificate on Your site today 21day free trial

The Starter PKI program from thawte has been developed for companies with a need to secure multiple domains or host names. This guide will introduce you to the Program by explaining how it works and its benefits. We will also point you to a dummy company on our web site where you can ?test drive? the Program. Finally, you'll find out how to enroll and the costs involved.

If you are currently using a non-Thawte or non-VeriSign SSL certificate, make sure you check out the special discounts which are available to you. (Please note that this offer excludes VeriSign customers.)

The thawte SGC SuperCert in action

thawte has been issued a license by the US Bureau of Export Administration (BXA), allowing the issue of certificates that enable 128-bit SSL sessions in older browsers* that are usually restricted to 40/56-bit encryption. The difference between SGC SuperCerts and normal SSL Web Server certificates is that whenever one of these older browsers connects to a site that has a SGC SuperCert installed, the SSL session will be automatically 'stepped-up' to 128-bits, instead of being negotiated at an encryption level that the browser has been defaulted to (40/56 bits).

* (IE 4.X or Netscape 4.06 and later)

Certificate Signing Request (CSR) File

The process of applying for a thawte signed digital certificate begins with the generation and submission of a Certificate Signing Request (CSR) file. thawte then verifies your identity, and when satisfied, signs that request file, using the trusted thawte CA root key, and issues it to you as your certificate.

Valid certificate

When we issue your certificate it will contain two critical pieces of information. The first is the "Distinguished Name", which is a set of values that describes your country, state or province, city or town, organization, division within that organization and your web server domain name. The second is your public key.

Keys

Session keys are made up of a public key (issued to you with your SGC SuperCert) and randomly selected private keys created by each browser when it connects to your server. Session keys are used to encrypt and decrypt data (transmitted to and from the server) after the initial browser/server 'handshake'. (A session key is not your Server Certificate key, which is either 1024-bit, or 512-bit).

Compatible web servers

All browsers from IE 4.x or Netscape 4.06 and later should work well with the SGC SuperCert. Please note that the SGC SuperCert is chained therefore please check that your web server supports Certificate chaining.

Upgrading Browsers

Those running 3.x generation browsers can upgrade their security to the same level as that supported by 4.0 generation browsers. The process takes about 2 minutes and ensures that your browser works with the tens of thousands of thawte certified secure servers out there. You only need to do this once for your browser to be updated permanently!

There are many Certification Authorities (CAs) currently offering digital certificates, each with various certificate products. For the first time user of digital certificates it is often difficult to make an informed purchase decision. Equally, experienced users may not have a full understanding of certain finer points relating to the products that are available on the market.

We aim to provide impartial advice on how to approach the purchase of SSL certificates while at the same time clarifying certain issues relating to the product and industry which are often misunderstood. Our hope is that you find the information provided of assistance in making the right purchase for your business and security needs.

1. When do you need to use a digital certificate?

Securing transmission of financial information in ecommerce is currently the major application of SSL certificates. However, with incidence of identity theft on the rise, protection of personally identifiable information is becoming ever more important. This category of data would include identity and social security numbers, as well as e-mail addresses.

So, if you are handling financial transactions on your web site, there is no question that SSL certificates are required. If you are managing sensitive customer data, the use of SSL certificates is worth serious consideration – especially if customer/member security and privacy is high on your list of priorities.

2. Why use a digital certificate? p>There are two main reasons why you should make use of a digital certificate:

1. To prove your company's (or your server's) identity online and in so doing create a sense of trust and confidence in using your web site.
2. To offer protection of the data submitted to your web site (or between servers) through the use of encryption. Should any information be intercepted, it will be unintelligible without the unique key used for decryption.

When evaluating a certificate product, make sure it delivers on each of these requirements.

3. What level of authentication does the certificate offer?

In securing your web site with a digital certificate, your main aim is to provide proof of your online identity and in so doing establish a relationship of trust with those with whom you wish to interact online. This is where authentication comes into play as the most important element of a digital certificate.

Authentication provides users with proof that:

1. your company is a bona fide real world company.
2. they are connecting to the correct server

A certificate's level of authentication may be seen as an indication of its quality – the higher the level of authentication provided, the greater the quality of the certificate. It is therefore important to understand that the various digital certificates available each differ in level of authentication depending on the issuing CA or even the specific product.

Some CAs perform only very basic authentication prior to issuing a certificate while others conduct extensive checks to ensure the identity of the applying organization. The following are the various authentication checks that are performed by CAs:

• Domain lookup to confirm that applying company owns domain.
• Check existence of company to confirm that it is a legally registered organization.
• Verification of identity of individual requesting certificate to confirm that they are an authorized representative.

All CAs performs one or more of these authentication checks. The result is a range of products of greatly differing levels of quality. It is important to note that the more authentication checks performed the better the quality of the certificate. So make sure you determine exactly what authentication checks are performed before purchasing.

4. What does it mean to be WebTrust compliant?

A number of CAs have achieved WebTrust compliance mainly as it is now a Microsoft requirement that a CA complete a WebTrust for Certification Authorities audit, in order to have their root certificates included in Windows XP / Internet Explorer. But it is important to understand exactly what this certification implies. WebTrust does not set standards for CAs, nor does it monitor or regulate any existing standards.

WebTrust compliance tells you nothing about the quality of the authentication on offer – it merely confirms that the CA in question adheres to their own stated policies and procedures for authentication. What this means is that WebTrust compliance unfortunately does not provide a useful basis for comparison between CAs.

5. What is the strength of a certificate? (what is SGC technology)

The encryption strength of a digital certificate is determined by the level of encryption supported by the browser used to connect to a web site and the server where the web site resides. This means that users may connect at 40-bit, 56-bit or 128-bit depending on the browser version they are using.

Most digital certificates function in this way – providing encryption at a strength supported by the browser and server. It is important to understand this distinction as many CAs promote their certificates as 128-bit when in fact they will support sessions of varying encryption strength (128-bit being the strongest possible level of encryption).

In the past, legislation of the United States government prevented the export of 128-bit encryption technology. The result of this was the creation of the so called “export” browser versions which were restricted to 40-bit and 56-bit encryption capabilities. These browsers were distributed outside of the United States for many years and were even downloaded by US based users. In 1997, the US government repealed its ban on 128-bit encryption. Today however, there are still significant numbers of export version browsers in use, mainly internationally but also in the United States.

Digital certificates have been developed that provide 128-bit encryption for browsers which are defaulted to 40-bit or 56-bit encryption – the so called “export” browser versions which include IE 5.01 and Netscape 4.7x and later . These certificates include technology known as Server Gated Cryptography (SGC) which automatically steps-up these browsers to the 128-bit encryption level. Only a handful of CAs supply these certificates, so if you require the 128-bit encryption step-up capability, make sure you ask for SGC technology.

6. What is the product for you?

There are various factors which will influence your choice of digital certificate.

Firstly, you need to consider the sensitivity of data that is to be secured. It makes sense that highly confidential personal and financial as well as critical business information demand the highest levels of authentication and encryption. Alternatively, some may argue that there are other applications that do not require these stringent security measures. The bottom line is that you need to categorize the various types of data you manage according to their importance to your business and select a digital certificate for the task at hand.

In certain countries there is now legislation which governs the level of encryption required for data protection. This type of legislation is normally developed for data intensive industries where security and privacy is a major concern such as financial services or health care. Typically, companies are required to guarantee that they protect data with 128-bit encryption – a requirement which determines the use of a specific type of digital certificate. In this case digital certificates which are able to step-up to 128-bit encryption are the product of choice.

Geographic location of your customer/user base is also an important consideration. The reason for this is that certain older browser versions which still exist in significant numbers internationally do not automatically support 128-bit encryption, only 40-bit and 56-bit. Typically, these are the so-called “export” browsers which where made available outside of the United States for many years. It is also worth noting that users in the United States have also downloaded these export browsers from non-US websites. So, if you are conducting business online outside of the US and 128-bit encryption is important to you, step-up SGC technology is essential.

Lastly, it is worthwhile considering the duration of the project in question. Most certificates are available in one or two-year versions (or longer). If your project is planned for a longer duration, it makes sense to consider the two-year certificate option as this not only allows you to benefit from the cost savings frequently offered on these products, but also provides the added benefit of increasing convenience by reducing the frequency of engineering and admin work associated with installation during certificate renewal.

7. Can you get the after sales technical support you need?

Depending on your level of experience in working with digital certificates, you may require assistance at various stages throughout the life cycle of the product, from the initial request for a certificate to installation, renewal and possible re-issuance of a certificate if required.

Be sure to assess the support capabilities of the CAs you consider. Try to look beyond the initial sales process as it is the more unforeseen circumstances such as server migration where competent support is always the most valuable.

8. What is the track-record of the CA?

In business it is always sensible to purchase from proven, established vendors – even more so in today's high tech industry. This is especially important when purchasing security products such as digital certificates where using a trusted CA is essential for doing effective business online.

The CAs track record may provide you with some answers to other questions discussed here. For instance, the longer a CA has been in business, the more experienced and better developed their support infrastructure is likely to be.

9. Are you dealing with a root CA?

There are two types of CAs – Root CAs and Chained CAs. Root CAs have the roots for their certificates installed in the major browsers, while Chained CAs issue their certificates off a Root CAs root.

The reason for the existence of Chained CAs relates to the issue of certificate compatibility with the various browser types and versions currently used. CAs which have been in existence for longer period of time have been able to include their roots in each browser type and version that has been released over the years. Subsequently, their certificate-browser compatibility is extremely high. Newer CAs are not able to achieve this level of compatibility as they are only able to include their roots in recent browser releases and the only way for them to obtain the desired level of compatibility is to issue certificates signed with the root of a CA which already has the desired level of compatibility (this is known as “Chaining”).

The main drawback of using a Chained CAs is that they do not own, and therefore, do not control the root used to issue their certificates. From a certificate customers' perspective this may lead to potential problems as their certificates are vulnerable and may be rendered invalid should the terms of the chaining agreement break down or be affected by a change in ownership of the root.

Some Scenarios

You have a global export business that sells high value items via the Web Appropriate digital certificate: thawte's SGC SuperCert

You have a global communications business that transmits a lot of sensitive information via the Web Appropriate digital certificate: thawte's SGC SuperCert

You have a US focused business that sells low to medium value items via the Web Appropriate digital certificate: thawte's SSL Web Server certificate

You have a US focused business that sells high value items via the Web Appropriate digital certificate: thawte's SGC SuperCert*

You have a US-based company servicing the healthcare industry via the Web Appropriate digital certificate: thawte's SGC SuperCert*

*As there are still a small number of 'export' browsers active within the US itself, it would be advised to be secure with a SGC SuperCert if high value items are being sold via a web site.

thawte is now able to provide SSL certificates* to customers using Internationalized domain names.

The Internet is a tool used by more than 500 million people around the world. As the Internet grows, more and more users will prefer languages other than English. International Domain Names (IDNs) provide a convenient mechanism for users to access Websites in their preferred language. This need is reflected by the growing number of customers purchasing Internationalized Domain Names (IDNs).

thawte has always been focused on serving the International community by offering multilingual customer support in over 30 languages. thawte has now invested in aligning it’s systems to support this International strategy by enhancing these systems to be able to recognize and issue certificates that contain local language characters in all certificate fields.

With these enhancements, thawte will now also be able to issue certificates to Internationalized Domain Names.

What this means is that you can now buy an SSL123, SSL Web Server or SGC SuperCert certificate* to secure the website you have hosted on an Internationalized Domain Name. An example of the certificate content for a certificate for an IDN is shown below.

Not only will your secured Internationalized Domain content be reflected in the certificate details, but your thawte Trusted Site Seal will also reflect your local language content.