I EV SSL Certs l
Messaging Ecosystem Security |
Always On SSL
(Secure Sockets Layer) - Resources
Always On SSL & Perfect Forward Secrecy (March 5, 2014, Symantec
webinar with OTA & Alkmai)
Got SSL? - Chrome Dev Summit (Dec 4, 2013)
Update Facebook Implements Always On SSL (August 29,
2013 - Symantec Blog)
Trust and consumer
confidence is the foundation upon which the Internet has been built. A core
element of that confidence rests on the protection provided by SSL
certificates from trusted Certificate Authorities.
SSL/TLS (also referred to as HTTPS) delivers website
and server identity authentication as well as encryption of data in transit.
Today, it is estimated that more than 4.5 million sites are using SSL
certificates issued by Certificate Authorities to help protect web sites
sensitive information such as logins and credit card numbers.
Many organizations use the SSL/TLS protocol to encrypt
the authentication process when users log in to a website, but do not
encrypt subsequent pages during the userís session. Unfortunately this
intermittent use of SSL protection is not adequate security considering
todayís emerging online threats.
With the rise of Web 2.0 and social networking, people
are spending more time online and logged in, and they are communicating much
more than just their credit card numbers. Cybercriminals today are targeting
consumers using an attack method called sidejacking that takes advantage of
consumers visiting unencrypted HTTP web pages after they have logged into a
site. Sidejacking allows hackers to intercept cookies (typically used to
retain user specific information such as username, password, and session
data) when they are transmitted without the protection of SSL encryption.
There are several software tools written to support
sidejacking activities, but none are more infamous than Firesheep. An
extension for the Firefox Web browser developed by Eric Butler and released
in October 2010, Firesheep allow hackers with no programming skills to
easily capture usernames, passwords, browsing history, and other private
information from unsuspecting users.
Online Trust Alliance (OTA) is calling on the security,
business and interactive advertising communities to adopt Always On SSL
(AOSSL), the approach of using SSL/TLS across your entire website to protect
users with persistent security, from arrival to login to logout. Always On
SSL is a proven, practical security measure that should be implemented on
all websites where users share or view sensitive information.
Always On SSL is supported as a best practice by leading
industry players including Google, Microsoft, PayPal, Symantec, Facebook and
Twitter. Learn their stories in the OTA white paper Protecting Your Website
With Always On SSL and resources below.
OTA encourages all websites to consider implementing
Always On SSL. It is incumbent on all of us to work together to implement
web security best practices to protect consumers from harm.
RSA 2012 Presentation
SSL White Paper - Presented at RSA 2012, this
paper includes case studies
and reference implementations from Facebook, Google, PayPal and Twitter.
RSA AOSSL Session
Extended Validation SSL
News - Mozilla Supports HTTPS with Google Search
Revised August 27, 2013