To be able to gain the general trust of online consumers, many online merchants display trust promoting seals provided by a trusted third party or TTP. These TTPs provide the online vendors with Digital Security Certificates which ensure that the vendors comply with the strict standards set by the TTPs. This paper will give a background on how Security Certificates work, discuss briefly the features that two of the leading TTPs, as well as evaluate whether or not Digital Security Certificates issued by TTPs are credible sources of E-Commerce Security.
Introduction A certificate authority (CA) is a trusted third party (TTP) that issues digital security certificates. The certificate authority issues a digital security certificate containing a public key and information about the author. The certificate authority then confirms that the digital security certificate belongs to the actual entity noted in the certificate. However, if the certificate authority is threatened, the systems’ entire security can be put at risk. Digital Security Certificate Threats
To demonstrate how this might happen, this paper will make use of conventional names to represent the different parties involved. Bill, in this case the attacker, somehow manages to get a certificate authority to issue a false certificate binding Jane to the incorrect public key. Bill then becomes aware of the matching private key. Once John obtains and makes use of Jane’s public key in this phony certificate, the security of transactions between John and Jane could then be compromised by Bill. Bill just has to decrypt John’s messages or he could ruse John into accepting forged signatures from Jane.
To somehow counteract this, the certificate authorities make use of accreditation schemes to ensure that their standards are kept up to par. With regards to legally binding digital security certificates, local laws and regulations are put in place to make sure that even if the security is compromised, whoever is at fault will be prosecuted. Perhaps the best way for an online consumer to determine if a digital security certificate is indeed trustworthy is if that security certificate is issued by reputable certificate authority.
Reputable certificate authorities uphold certain standards to ensure that the threat of hackers and fraudulent signatures are kept to a minimum. VeriSign and TRUSTe are two examples of reputable certificate authorities. VeriSign An American based company, VeriSign operates a diverse array of network infrastructures, as well as provides security and telecom services. Probably one of VeriSign’s more popular services is their digital security certificates, which the company refers to as the ‘VeriSign Secured Seal’.
According to their website, “VeriSign is the leading secure sockets layer (SSL) Certificate Authority enabling secure e-commerce and communications for Web sites, intranets, and extranets. ” Whenever you sign up for a SSL certificate, VeriSign issues you a ‘VeriSign Secure Seal’ as part of their VeriSign SSL Certificate service. According to their website, “displaying the seal on your Web site can increase visitor-to-sales conversions, lower shopping cart abandonment, and result in larger average purchases. ” A 2007 market share report by SecuritySpace. om determined that VeriSign and its acquisitions have a mammoth 57. 6% share of the entire certificate authority market. This is proof enough that more companies trust VeriSign over other certificate authorities. VeriSign’s Web site offers more of a corporate feel to it. In its Web site, VeriSign prominently displays their vast array of services. These include very detailed product descriptions, particularly to entice would be clients into availing of their services. They also prominently display logos of various major companies that have availed of their services.
TRUSTe is an independent non-profit organization best known for its Web Privacy Seal. It runs the world’s largest privacy seal program, with more than 2,000 Web sites certified. These Web Sites include the major internet portals and leading brands such as IBM, Oracle Corporation, Intuit and eBay, among others. The company states that its main objective is to establish trusting relationships between individuals and online organizations based on respect for personal identity and information in the evolving networked world.
According to their website, TRUSTe aims to “build trust and drive revenue with the TRUSTe Privacy Seals. TRUSTe also states in their Web site that “displaying the TRUSTe seal demonstrates that your site complies with our best practices. ” Some of TRUSTe’s programs include its ‘Trusted Download Program’, ‘Web Privacy Seal’, and it’s ‘Email Privacy Seal’. TRUSTe’s Web site takes more of a personally approach when enticing potential clients to sign up for their service. Although they also offer detailed descriptions regarding their services, the overall tone that they set is establishing trust between individuals and online organizations.