As I wrote in my last blog I was recently in an emerging market in South East Asia to meet with local and global banks. Not only did I uncover some interesting challenges with self-signed certificate for internal encryption, I discovered some surprising thinking about external certificates. Even though the value of their business is based on the trust they can offer their customers, many of the banks in South East Asia do not extend that trust to their HTTPS environments.
While discussing the relative merits of machine identity management in securing keys and certificates, I learned that these banks just don't understand the concept of value in external certificates. This point was driven home to me when I learned that a major regional economic development bank was using consumer-grade DV certificates for their external web pages. That is a great example of the sort of knowledge gap that some of these banks have.
Granted, the enterprise banks, the commercial banks, they are a bit better. They are using extended validation (EV) certificates from powerhouse certificate authorities. But, some of the government-linked banks are just using whatever's the cheapest certificates they can find. As long as their sites have that new lock, they're happy. So, they don’t yet realize that there's a difference between the value that you pay for those certificates from the big players, versus domain-validation certificates, for example.
First, I try to explain the value of a certificate in real terms. With a domain-validated certificate, you need to go through certain levels of verification. So, as long as domain is owned by you, you have an email address, then you can request for it. What that really means is that anyone within your organization can request a certificate. Okay. So, if it’s a rogue admin that requests the certificate? Big problem, right? What if the requestor isn’t even an admin, just an employee with an email account? Or employees with an email account that where their credentials were hacked?
On the other hand, with extended validation certificate, you gain the assurance that the certificate request has been run through a battery of additional checks. This process is like a multi-factor authentication in that it is designed to gain a depth of information about the identity of the requester before the CA will grant them an EV certificate.
If that doesn’t hit home, here’s an example I use to illustrate the value of using highly-trusted certificates. I compare the process to going through immigration at the airport. To pass through immigration you have a passport. For you to get a passport, you have to prove your identity to the passport registration authority. You get your picture taken, you imprint your thumb prints, you submit a copy of your birth certificate to prove your citizenship. Then, only after a period of validation, you get your passport. International authorities will now trust your identity across borders. Even then, you may still have to validate yourself again, using facial recognition and whatnot.
Now, let’s compare that to a form of identification that is not so widely trusted. Let’s look at a type of ID that’s not so hard to obtain. Let’s look at library cards. When you go and get a library card, all you have to do is provide your name, prior photo, and then proof of address. And then you get a library card. Great. The library says it’s you. So, now, if you pass through immigration, and you bring your library card along, that should prove your identity, right? No. The passport agency can’t trust you based on a lesser form of identification that hasn’t undergone in-depth validation.
Now, let’s look at this scenario in terms of certificates. A domain-validated certificate is like a library card. You did actually prove that you are you. But only in a very basic way. An EV certificate, on the other hand, is like a passport. It has gone through a much more rigorous validation. So, you can trust it with a higher level of confidence. This is when eyes at the bank really start to open. Now we’re talking about certificates in terms of a difference in value and quality.
Which is the type of confidence that you’d like to instill in your customers? Are you going to show them a library card or a passport?
Related posts
Lorem ipsum dolor sit amet, consectetur elit.
Thank you for subscription
Scroll to the bottom to accept
VENAFI CLOUD SERVICE
*** IMPORTANT ***
PLEASE READ CAREFULLY BEFORE CONTINUING WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI CLOUD SERVICE (“SERVICE”).
This is a legal agreement between the end user (“You”) and Venafi, Inc. ("Venafi" or “our”). BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI CLOUD SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICE.
You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.
This Agreement was last updated on April 12, 2017. It is effective between You and Venafi as of the date of Your accepting this Agreement.
The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You have registered with Venafi to use.
This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may terminate this Agreement and/or the License at any time with or without written notice to You if You fail to comply with any term or condition of this Agreement or if Venafi ceases to make the Service available to end users. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination.
This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Goods; (c) the 1974 Convention on the Limitation Period in the International Sale of Goods; and (d) the Protocol amending the 1974 Convention, done at Vienna April 11, 1980.
In the meantime, please explore more of our solutions
In the meantime, please explore more of our solutions
This site uses cookies to offer you a better experience. If you do not want us to use cookies, please update your browser settings accordingly. Find out more on how we use cookies.