Ecommerce Implementation  «Prev  Next»
Lesson 9 Certificate issues
ObjectiveDescribe the issues associated with using digital certificates.

Issues Associated with Digital Certificates

A trusted third party, known as a certificate authority (CA), issues SSL certificates for domains and organizations. Before they can do so, though, they need to perform some type of verification of the site and/or organization requesting the certificate.

Modern Ecommerce Platforms and Certificate Characteristics

The characteristics for certificates have changed in various ways on modern ecommerce platforms:
  1. Absolute Proof of Identity:
    • Partially True: Certificates in the context of ecommerce usually refer to SSL/TLS certificates for secure connections. These do not directly prove the identity of the website owner. However, certificate authorities perform vetting checks, making fraudulent certificates challenging and unlikely.
    • Additional Methods: Platforms often combine certificates with other identity verification methods like domain ownership checks and government-issued ID verification for sellers.
  2. Selective Disclosure:
    • False: Modern certificates support extensions like OCSP stapling which enable the browser to verify the certificate validity without contacting the issuing authority. This improves privacy by reducing information disclosure.
    • Data Minimization: Platforms can leverage technologies like tokenization to limit the data shared between customers and merchants, improving selective disclosure.
  3. Cost:
    • Basic SSL/TLS certificates are relatively inexpensive, and many platforms offer them for free with their plans. Enterprise-grade certificates with advanced features might be more costly.
    • Alternatives: Let's Encrypt provides free, valid SSL/TLS certificates, making them widely accessible.

Overall: While certificates in ecommerce don't offer absolute guarantees, they remain crucial for building trust and securing online transactions. The caveats you mentioned are evolving with technology, and platforms implement additional measures to address them. Additionally, the specific certificates issued for ecommerce often contain embedded information like domain validation, business validation, or extended validation, providing varying levels of identity assurance.

Certificate Password Security

During the digital certificate creation, you created a pass phrase. This pass phrase is never used again unless you need to revoke the certificate. Your clients will never use it. If someone gains access to your certificate on the server, this pass phrase is only a symmetric key for encrypting the private key on the physical hard drive. It is much easier to break symmetric keys. Therefore, make sure you physically secure your server. Also, proper choice of a good password significantly raises the private key's protection level. If the key is physically copied, it is still useless without the key to decrypt and use it. It cannot be used or installed without this key. On the other hand, loss of this key compromises your own ability to use the certificate, so this information should be well protected.

Authentication, Users and Group Membership

The possibility always exists that a hacker stole files from a user's hard drive and cracked the password. This would completely invalidate a certificate. Also, average users tend to assume that a certificate is foolproof and that anyone presenting a certificate is legitimate. This is not the case.
Many e-commerce sites create specialized user groups, as well as accounts that involve user names and passwords. If you wish to authenticate users for each of these groups, certificates are not the answer. Although you can use a certificate for basic authentication and creating an SSL session, today's certificates do not contain enough information about the user to facilitate automatic group placement or user account creation. You can require that all users first establish an SSL session, then enter information. You will then have to create a separate authentication session for users to enter the group.

Selective Disclosure

Certificates do not allow selective disclosure[1] of information. In other words, there is no way to reveal only certain fields of the certificate to certain users. Currently, if you need to have a coworker retrieve your email for you, you need supply only your password. However, if you are using certificates, this legitimate activity is not feasible. Digital certificates are currently an "all or nothing" proposition. One way to get around this is the use of portable technologies, such as smart cards and similar physical storage methods. These issues with digital certificates are being addressed, but you need to be aware of the current barriers to implementation.
In the next lesson, we will discuss SSL transactions.

Digital Certificates - Quiz

Click the Quiz link below to take a multiple-choice quiz on digital certificates and CAs.
Digital Certificates - Quiz

[1]Selective disclosure: The ability to reveal only portions of a digital certificate. As yet, this is not possible in an e-commerce setting.