Ask The Experts: SSL Certificate Management

Often considered solely at the final stages of a website launch, SSL certificates play a crucial role in protecting businesses and their customers from third-party attacks. Consolidating and centralising security protocols alongside domain name portfolios can help businesses to better protect themselves and their customers online, but there is no ‘one-size-fits-all’ approach, as Graeme McGregor, Senior Product Strategist at Com Laude explains.

What are the biggest trends and challenges at present?

When it comes to an organisation’s web presence, one size does not fit all. Every client has different needs, so it’s about tailoring rather than being transactional in the services that we provide. This applies to everything from domain name portfolio management to online brand protection, and security services such as DNS security and SSL certification.

That may come as a surprise to many businesses, as SSL certificates – more accurately transport layer security (TLS) certificates – are generally one of the last things to be considered when launching a new website. However, SSL/TLS certificates are not as simple or standardised as many people may expect, with multiple different versions available (see box).

Their role is to ensure a secure connection between the end-user and the originating server by blocking ‘man-in-the-middle’ attacks. Essentially, the protocol creates a tunnel to protect the traffic and to ensure that no one else can access the data being shared.

Such security services are critical at this time of increased phishing, traffic theft and typosquatting, and not only for websites. We’re also seeing an uptick in organisations needing certificates to protect access to virtual private networks (VPNs), as they have had to move quickly to enable remote working during the COVID-19 pandemic. SSL certification for VPNs works in the same way as for websites in that it functions by creating a tunnel to block eavesdropping by unauthorised third parties.

How do you know which level of certification to choose?

The choice of SSL certificate can depend on the website’s function or the business’s policies or industry. For ‘basic’ websites or microsites, a DV is generally sufficient; however, for anything that is transactional (whether sharing payment or personal data) an OV or EV is advisable (see box).

The biggest risk with a basic SSL certificate is that it makes a connection seem secure to the end-user (through the lock sign), but it doesn’t necessarily tell you who you are connecting to; for example, you could still be connecting to a third-party or phishing site. As the highest level of security, EV certification was generally advisable for transactional websites, as it bridged the security gap by showing not only that the connection is secure, but also that it is linking to the correct company.

Recent changes to the EV certificate have depreciated its value, however, so for many businesses and industries an OV is now sufficient.

What are the biggest challenges with implementing SSL certificates?

A business’s online presence, and thus its domain names, don’t typically sit in one place in a company. As a result, it can often be the case that the person responsible for launching a new website may not be aware that there is more than one type of SSL certificate, or hold knowledge of whether the company already has a multi-domain certificate in place. In some instances, the need for independent validation can also come as a surprise.

Before OV and EV certificates are awarded, the registry will contact the business via a publicly-listed phone number to verify that it indeed requested the approval. This isn’t something that can be managed on the day of a website launch, therefore. It has also become more challenging during COVID-19 and the rise of remote working.

We’ve been through this process with clients so many times now that we’ve designed our services to take the administrative headache out of this process. It’s important to be hands-on. So much of website work is technical and digital, but validation relies on more ‘old-fashioned’ processes, i.e. calling up a company’s reception and asking to speak to IT (OV) or HR (EV) as a means to independently verify the request.

You’d be surprised how often the certificate validation gets stuck at this point; for example, no front desk receptionist (during COVID-19), a company-wide policy never to forward calls or natural reluctance to share any corporate information over the phone. Often, we will undertake a dry run to identify such barriers and make a plan to work around them. We’ve even set up public records for organisations so that there is a publicly listed phone number for validation authorities to call.

Although it is possible to expedite the process for tight deadlines, it’s advisable to allocate enough time to manage the process comfortably. Ideally 5-10 days for OV applications and twice that for EV applications. Pre-validation reduces the time right down to typically within an hour and DVs provide a good backup in the sense that they can be obtained almost instantly.

What would be your advice to companies in this area?

Typically, businesses will use a combination of these different layers of protection to support their digital presence. However, this isn’t always by design. As a result, a company may find that it has hundreds of domains on individual certificates, which could be consolidated into one multi-domain certificate, for example. Undertaking an audit of your current web presence and the certification that is in place can provide opportunities to consolidate and centralise security protocols. Ideally, this can be scheduled to coincide with upcoming renewal deadlines.

In this day and age, it’s as important to manage your SSL portfolio as it is to manage your domain names. Taking the time to identify which certificates are in place, how they are being used and when they are due up for renewal is a critical first step. In most cases, it’s not about identifying ‘holes’ in protection as such, but rather smarter ways of managing certificates.

This includes avoiding basic errors, such as missed renewal deadlines or incomplete coverage. Online security is headline news, so if a consumer sees a security warning on a transactional site, then obviously they are going to think twice about completing a transaction. It’s easy to overlook such tasks in your day-to-day operations, so it’s important to work with a provider that will keep on top of your SSL certificates for you.

To find out more about Com Laude’s SSL Certificate Management services, please contact us.