As I wrote in my last blog I was recently in an emerging market in South East Asia to meet with local and global banks. Not only did I uncover some interesting challenges with self-signed certificate for internal encryption, I discovered some surprising thinking about external certificates. Even though the value of their business is based on the trust they can offer their customers, many of the banks in South East Asia do not extend that trust to their HTTPS environments.
While discussing the relative merits of machine identity management in securing keys and certificates, I learned that these banks just don't understand the concept of value in external certificates. This point was driven home to me when I learned that a major regional economic development bank was using consumer-grade DV certificates for their external web pages. That is a great example of the sort of knowledge gap that some of these banks have.
Granted, the enterprise banks, the commercial banks, they are a bit better. They are using extended validation (EV) certificates from powerhouse certificate authorities. But, some of the government-linked banks are just using whatever's the cheapest certificates they can find. As long as their sites have that new lock, they're happy. So, they don’t yet realize that there's a difference between the value that you pay for those certificates from the big players, versus domain-validation certificates, for example.
First, I try to explain the value of a certificate in real terms. With a domain-validated certificate, you need to go through certain levels of verification. So, as long as domain is owned by you, you have an email address, then you can request for it. What that really means is that anyone within your organization can request a certificate. Okay. So, if it’s a rogue admin that requests the certificate? Big problem, right? What if the requestor isn’t even an admin, just an employee with an email account? Or employees with an email account that where their credentials were hacked?
On the other hand, with extended validation certificate, you gain the assurance that the certificate request has been run through a battery of additional checks. This process is like a multi-factor authentication in that it is designed to gain a depth of information about the identity of the requester before the CA will grant them an EV certificate.
If that doesn’t hit home, here’s an example I use to illustrate the value of using highly-trusted certificates. I compare the process to going through immigration at the airport. To pass through immigration you have a passport. For you to get a passport, you have to prove your identity to the passport registration authority. You get your picture taken, you imprint your thumb prints, you submit a copy of your birth certificate to prove your citizenship. Then, only after a period of validation, you get your passport. International authorities will now trust your identity across borders. Even then, you may still have to validate yourself again, using facial recognition and whatnot.
Now, let’s compare that to a form of identification that is not so widely trusted. Let’s look at a type of ID that’s not so hard to obtain. Let’s look at library cards. When you go and get a library card, all you have to do is provide your name, prior photo, and then proof of address. And then you get a library card. Great. The library says it’s you. So, now, if you pass through immigration, and you bring your library card along, that should prove your identity, right? No. The passport agency can’t trust you based on a lesser form of identification that hasn’t undergone in-depth validation.
Now, let’s look at this scenario in terms of certificates. A domain-validated certificate is like a library card. You did actually prove that you are you. But only in a very basic way. An EV certificate, on the other hand, is like a passport. It has gone through a much more rigorous validation. So, you can trust it with a higher level of confidence. This is when eyes at the bank really start to open. Now we’re talking about certificates in terms of a difference in value and quality.
Which is the type of confidence that you’d like to instill in your customers? Are you going to show them a library card or a passport?