How and when to use self-signed SSL Certificates
SSL – Secure Socket Layer – is a vital weapon in the armory of any organisation intent on ensuring its systems are safe. It is the standard behind ensuring secure communication on the Internet, integrating data cryptography into the protocol.
On your travels through the security world, you may also have come across the best-known open library for secure communication: OpenSSL (OpenSecure Socket Layer). You may even use it within your business – but that’s probably the extent of your knowledge of its inner workings. As Steve Marquess of the OpenSSL Software Foundation himself told me recently: “It is very difficult to describe [such] cryptography succinctly for laymen”, and anyone delving into OpenSSL would no doubt swiftly agree! After all, you don’t have to understand a tool fully to use it properly. Still, more information about when to use this tool can be very helpful.
So what exactly is OpenSSL? In essence, OpenSSL is an open source implementation of the SSL and TLS (Transport Layer Security) protocols – a free utility that comes with most installations of MacOS X, Linux, BSD, and Unix operating systems. You can also download a binary copy to run on your Windows installation.
When do you use it? OpenSSL is all you need to create your own private certificate authority. The core library, written in the C computing language, implements the basic cryptographic functions as well as providing various utility functions. OpenSSL can provide message digests, encryption and decryption of files, digital certificates, digital signatures, and random numbers. It’s a command-line tool as well. This allows the same activities as the API (application programming interface), plus the ability to test SSL servers and clients.
Where the use of open source is lacking is around full-on market credibility, and the perception of trust for the end user. Does OpenSSL carry the same weight of a certificate that has been issued by a trusted CA (certificate authority)? The answer is not in commercial or financial applications. It is true that you can create and run your own self-signed certificates on a network, and for internal applications this use can make good financial sense. However, if you are looking to create instant external customer confidence and assurance of security with your clients or end users, you need authentication and a web of trust.
Providing such levels of assurance is Symantec’s stock in trade, with solution that are globally used and embraced. Its Website Security Solutions deliver the assurance of industry-leading SSL certificates (and Extended Validation SSL), certificate management, vulnerability assessment, and malware scanning. What’s more, not only does employing these solutions help secure that your safety, the Norton Secured Seal and Symantec Seal-in-Search make your customers feel safe, too – all the way from search-to browse-to buy.
It has long been a tenet of best business practice that you only work with the people you know you can trust absolutely. In the universe of security on line, where so much is at stake, this holds equally true.