FAQ: SSL Basics

Questions:

What is Secure Sockets Layer (SSL)?
What encryption strength do I need for my Web site?
What is Server-Gated Cryptography (SGC)?
Is 128-bit SSL encryption really stronger than 40-bit SSL encryption?
Do VeriSign SSL Certificates work with all browsers?
Why is it important for VeriSign to verify my business identity during enrolment?
What will I need to provide in order for VeriSign to verify my business identity?
What type of documentation does VeriSign require for Extended Validation SSL Certificates?
How long does verification take?
What is Extended Validation (EV) SSL?
What is a High-Security Browser?
What is a Certification Authority (CA)?
What is a Certificate Signing Request (CSR)?
Can I secure multiple servers with a single certificate?
Can I try an SSL Certificate before purchasing?
How do I obtain a VeriSign Certificate Center Sign-In?
What is a VeriSign Certificate Center Enterprise Account?
What is a unit?
What is the VeriSign Secured Partner Programme?

Answers:

What is Secure Sockets Layer (SSL)?
The Secure Sockets Layer protects data transferred over http using encryption enabled by a server's SSL Certificate. An SSL Certificate contains a public key and a private key. A public key is used to encrypt information and a private key is used to decipher it. When a browser points to a secured domain, an SSL handshake authenticates the server and the client and establishes an encryption method and a unique session key. They can begin a secure session that protects message privacy and message integrity.

Back to Top

What encryption strength do I need for my Web site?
Best security practices are to install a unique certificate on each server and choose a True 128-bit Certificate by purchasing a Server Gated Cryptography (SGC)-enabled SSL Certificate. A unique certificate keeps your private keys protected, and an SGC-enabled certificate ensures that every site visitor, no matter what browser or operating system they use, connects at the highest level of encryption their system is capable of. You need 128-bit or better encryption if you process payments, share confidential data, or collect personally identifiable information such as National Insurance, postal address or date of birth. You need 128-bit or better encryption if your customers are concerned about the privacy of the data they send to you.

Back to Top

What is Server Gated Cryptography (SGC)?
Prior to January 2000, US government restrictions on US vendors prevented the export of "strong" cryptography. As a result, many people purchased computers with operating systems and/or used export version browsers that supported only 40- or 56-bit SSL encryption. "Server Gated Cryptography" ("SGC") was developed to enable those restricted computers and export version browsers to "step up" to 128-bit SSL encryption. Without an SGC certificate on the Web server, Web browsers and operating systems that do not support 128-bit strong encryption will receive only 40- or 56-bit encryption. Users with the following browser versions and operating systems will temporarily step up to 128-bit SSL encryption if they visit a Web site with an SGC-enabled SSL Certificate

  • Internet Explorer export browser versions from 3.02 but before version 5.5
  • Netscape export browser versions after 4.02 and up through 4.72
  • Windows 2000 systems shipped prior to March 2001 that have not downloaded Microsoft's High Encryption Pack or Service Pack 2 and that use Internet Explorer.
    (Internet Explorer browser versions prior to 3.02 and Netscape browser versions prior to 4.02 are not capable of 128-bit encryption with any SSL Certificate.)

Back to Top

Is 128-bit SSL encryption really stronger than 40-bit SSL encryption?
Absolutely. When an SSL handshake occurs between a client and server, a level of encryption is determined by the browser, the client computer operating system and in certain situations the SSL Certificate. Low-level encryption, 40- or 56-bits, is acceptable for sites with low-value information. However, a hacker with the time, tools and motivation can crack the code in a matter of minutes. High-level encryption, at 128-bits, can calculate 2 88 times as many combinations as 40-bit encryption. That’s over a trillion times a trillion times stronger. That same hacker with the same tools would require a trillion years to break into a session protected by an SGC-enabled certificate.

Back to Top

Do VeriSign SSL Certificates work with all browsers?
VeriSign® SSL Certificates work with virtually every Web browser that ever shipped and all popular Web browsers used since 1996. VeriSign SSL Certificates offer the highest browser compatibility achieved by any SSL Certificate.

Back to Top

Why is it important for VeriSign to verify my business identity during enrolment?
To protect against fraud and phishing sites, Web visitors look for evidence of encryption and third-party authentication of the Web site’s business identity. When you request an SSL Certificate or a Managed PKI for SSL account or pre-approve your organisation from within your VeriSign Certificate Center Enterprise Account, VeriSign verifies the existence of your business, the ownership of your domain name and your employment status. We may require official documentation proving your right to do business. We use the verified information to display in the address bar of high security browsers protected by Extended Validation SSL and in our VeriSign Secured Seal pop-up window.

Our authentication and verification procedures are based on years of practice authenticating commercial businesses. These procedures are audited annually by KPMG using Statement of Auditing Standard 70 Type II, established by the American Institute of Certified Public Accountants. VeriSign is a leading Certificate Authority, securing more than one million Web servers.

Back to Top

What will I need to provide in order for VeriSign to verify my business identity?
VeriSign must verify the existence of your business, the ownership of your domain name and your employment status or authority to request the SSL Certificate. We may require official documentation proving your right to do business. These may include:

  • Articles of Incorporation
  • Certificate of Formation
  • Charter Documents
  • Business Licence
  • Doing Business As
  • Registration of Trade Name
  • Partnership Papers
  • Fictitious Name Statement
  • Vendor/Reseller/Merchant Licence
  • Merchant certificate

If we cannot automatically authenticate your company's management responsibility for the domain name that the SSL certificate will be used for, we will require an authorisation letter from that domain's owner. This step prevents applicants from fraudulently or accidentally obtaining SSL Certificates for inappropriate domains.

Back to Top

What type of documentation does VeriSign require for Extended Validation SSL Certificates?
In order to issue an Extended Validation SSL Certificate, VeriSign needs to verify the legal existence of the business, right of the business to use the domain name and that the business has authorized the purchase of the certificate. VeriSign also verifies that the organizational contact identified in the certificate request is employed by the requesting business and has the appropriate authority to obtain and delegate Extended Validation SSL Certificate responsibilities before directly contacting the person to verify the order. For more information on the types of documents VeriSign can accept to validate this information, please see our Authentication Guide (PDF).

Back to Top

How long does verification take?
Processing of EV certificates generally takes 2-5 business days. Depending on the quality of information you provide and whether or not your certificates are pre-approved, it may take a bit shorter or longer to process your order. VeriSign can authenticate your organizational and contact information and store the information’s pre-approved status for future certificate requests when you purchase units using a VeriSign Certificate Center Enterprise Account. When you submit a certificate request that contains the authenticated information, VeriSign needs only to verify the domain name submitted with the certificate request. If your organization is the legal holder of the domain, the amount of time required to process your application can be significantly reduced. Processing times for Extended Validation SSL Certificates may take longer due to additional verification requirements mandated by the Extended Validation (EV) SSL Guidelines.

Back to Top

What is Extended Validation (EV) SSL?
In 2006, the CA Browser Forum, a group of leading SSL Certificate Authorities (CAs) and browser vendors, approved standard practices for certificate validation and visibility called the Extended Validation (EV) SSL Guidelines. To issue an SSL Certificate that complies with the standard, a CA must adopt the extended certificate validation practices and pass an audit. When shoppers visit a Web site secured with an EV SSL Certificate, high-security browsers will trigger the address bar to turn green and display the name of the organisation listed in the certificate as well as the Certificate Authority. The browser and the Certificate Authority control the display, making it difficult for phishers and counterfeiters to hijack your brand and your customers.

Back to Top

What is a high-security browser?
Web browsers that emerged after the development of the Extended Validation (EV) standard established by the CA/Browser forum and that were developed to recognise EV SSL Certificates are considered high-security browsers. They are designed to trigger unique visual cues to indicate the presence of an EV SSL Certificate. For instance, Internet Explorer 7 shows a green address bar and displays the name of the organisation listed in the certificate as well as the certificate’s security vendor. These displays make it easier for Web site visitors to quickly establish trust with the Web sites they visit. Microsoft® Internet Explorer 7 and Firefox 3 are examples of high-security browsers.

Back to Top

What is a Certification Authority (CA)?
When VeriSign issues an SSL Certificate, we act as a Certificate Authority (CA). VeriSign digitally signs each certificate we issue. Each browser contains a list of CAs to be trusted. When the SSL handshake occurs, the browser verifies that the server certificate was issued by a trusted CA. If the CA is not trusted, a warning will appear. When high-security browsers recognise an Extended Validation SSL Certificate, they sometimes display the name of the CA as well as the name of the Certificate owner. Because VeriSign is the most trusted and recognised CA on the Internet (see VeriSign Secured Seal Research Review (PDF)), the presence of the VeriSign name can lend an additional level of trust for site visitors. The VeriSign Trial Root CA is for testing purposes only and is not registered in any browser’s trust list.

Back to Top

What is a Certificate Signing Request (CSR)?
The CSR is a string of text generated by your server software. You provide this string of text to VeriSign during the enrolment process. To generate a CSR, you will need to know what kind of server software is running on your Web server.

Back to Top

Can I secure multiple servers with a single certificate?
The VeriSign certificate subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. When private keys are moved among servers - by disk or by network - accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. VeriSign’s licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations (PDF) for more information.

Back to Top

Can I try an SSL Certificate before purchasing?
You can test SSL in a pre-production test server environment with a trial SSL Certificate free for 14 days. SGC-enabled and Extended Validation SSL Certificates are not available in a trial version. Learn more about our Free SSL Trial.

Back to Top

How do I obtain a VeriSign Certificate Center Sign-In?
When you buy or renew an SSL Certificate, an account is automatically created for you. VeriSign® Certificate Center is a personalised, self-service console with complete and secure access to all certificate management functions for single or multiple certificates from a centralised location, including order status, certificate details, renewal and revocation, backups, and stored contact and payment information.

Back to Top

What is a VeriSign Certificate Center Enterprise Account?
The Enterprise Account has the same functionality as the regular VeriSign Certificate Center with added benefits for customers who purchase four or more certificates per year. With an Enterprise Account, you can purchase four or more units at a volume discount to be applied to certificates for issuance when you need them. Once you have enrolled, you can pre-approve organisational and contact information for streamlined processing of certificate requests. VeriSign® Certificate Centee Enterprise Account also provides robust reporting and audit capabilities for managing your full portfolio of certificates. Replacement certificates are free within Enterprise Accounts. Learn more about VeriSign Certificate Center Enterprise Account.

Back to Top

What is a unit?
A unit equals one certificate licence per year for any given product. The price of the unit depends on the type of SSL Certificate selected. You can combine units for multi-year validity periods and for multiple server licences. The SSL Certificate validity period begins on the day of certificate issuance, not the day of unit purchase. Units are valid for and must be redeemed within 12 months of purchase.

Back to Top

What is the VeriSign Secured Partner Programme?
Leading Web sites and software vendors are partnering with VeriSign to display a VeriSign trust mark next to sites secured by VeriSign SSL Certificates. The VeriSign Secured Partner Programme will lead to increased confidence and can be expected to enhance your site's appeal to its visitors. Any VeriSign SSL customer can elect not to participate in this programme. By default your seal preferences are set to give your site the best exposure to the online shoppers who seek out your products and services. If you would like to edit your preferences, follow these steps:

  1. Log in to manage your SSL Certificates.
  2. Search for your SSL Certificate.
  3. Choose "Set Display Preferences". Here you can untick "Include my domain in the VeriSign Secured Partner Programme".

Back to Top

Need More Info?
Call 0800 032 2101 Request information online.
Certificate Center
Sign in to VeriSign Certificate Center
Quote

We posted the VeriSign Secured Seal on the payment pages and found that completed sales rose by approximately 10 per cent in comparison to the previous week's results. Case study.


Warren Jonas,
Head of Service Management,
Opodo