WHEN PROTECTING YOUR WEB APPLICATION OR WEBSITE, PARTICULARLY IF YOU HAVE ECOMMERCE FUNCTIONALITY BUILT INTO YOUR WEBSITE, SERIOUS DECISIONS NEED TO BE MADE IN REGARDS TO SECURE SOCKETS LAYER (SSL) CERTIFICATES. THERE ARE MANY COMPANIES THAT OFFER THIS SERVICE, HOWEVER WOULD IT BE SAFER TO CREATE YOUR OWN SELF-SIGNED SSL CERTIFICATE RATHER THAN GOING WITH A THIRD-PARTY PROVIDER?
First of all, let’s examine why SSL certificates are needed in the first place. SSL certificates allow secure connections between a web browser and a web server. It is commonly installed on a web server to protect the transmission of sensitive information such as credit card transactions, logins and other instances of internet usage where private data may be used. A web browser can detect if an SSL certificate has been installed and check its authenticity. When an SSL certificate has been installed, the website address bar will display ‘https’ as opposed to the usual ‘http’ as well as a padlock in the right-hand corner. These certificates provide users peace of mind that their personal information is safe.
“Self-signed SSL certificates may be a more secure option than third-party provided certificates if you can offer a physically safe environment for your own certificate and you know what you are doing. If implemented properly, self-signed SSL certificates can offer the same, if not more security. However, if not implemented properly, these certificates can pose a higher risk than a third-party provided SSL certificate,” suggested Kareem Tawansi, CEO of software development provider, Solentive Software.
If taking the path of a self-signed SSL certificate, you should first document what your organisation expects from implementing the SSL certificate and conducting a formal risk assessment.
The environment of your certificate server must also be physically secure. This means keeping the server in a secure location, in a secure room, in a secure cabinet with round the clock video surveillance.
“Large corporations sometimes have difficulties in maintaining security, largely due to their notoriety and as such, are more likely to be targeted by criminals. So unless your organisation or your web assets are relatively well-known, you are unlikely to be a target of someone looking to do something that they shouldn’t be,” continued Kareem.
Although there are increased administrative costs in implementing and then updating the certificate every three to five years, having your own self-signed SSL certificate allows you to have complete control over your environment such as revoking compromised SSL certificates. A third-party may not be as proactive in protecting your company’s sensitive information and your customers’ private information as well as your own organisation.
“If your organisation is knowledgeable on how to correctly set-up a self-signed SSL certificate, I would advocate this option over one provided by a third-party,” advised Kareem.