VeriSign - White Paper - Securing Your Web Site For Business

Secure your Web site
with a VeriSign Server ID

A proven, low-cost solution to secure online transactions is available today. VeriSign Server IDs have earned the trust of businesses world-wide, including virtually all of the Fortune 500 companies on the Web and all of the top 40 e-commerce sites. To date, VeriSign has issued over 410,000 Server IDs. This section describes how VeriSign Server IDs work to make online transactions secure.

"VeriSign Server IDs have earned the trust of businesses worldwide, including virtually all of the Fortune 500 companies on the Web and all of the top 40 e-commerce sites."

"By checking your VeriSign Server ID, your customers can verify that the Web site belongs to you, and not an impostor. This bolsters their confidence in submitting confidential information."

With a VeriSign Server ID, you become part of the VeriSign Trust Network^SM, tapping into millions of browsers already enabled with VeriSign’s digital certificate technology. As your credibility grows, so does your potential market share.

When you secure your Web site with a Server ID, your customers are assured that your site is legitimate. Information sent either way remains private, even if intercepted. And both parties know that messages are received exactly as sent.

Present your credentials via a
VeriSign Server ID

A Server ID, also known as a digital certificate, is the electronic equivalent of a business license. Server IDs are issued by a trusted third party, called a Certification Authority (CA). VeriSign is the world's leading CA, having issued more than 410,000 Server IDs. The CA that issues a Server ID is vouching for your right to use your company name and Web address, just as the office of the Secretary of State does when it issues Articles of Incorporation. CAs can also issue digital certificates to individuals.

Before issuing a Server ID, VeriSign reviews your credentials - such as your organization's Dun & Bradstreet number or Articles of Incorporation - and completes a thorough background checking process to ensure that your organization is what it claims to be, and is not claiming a false identity. Then VeriSign issues your organization a Server ID, which is an electronic credential that your business can present to prove its identity or right to access information (see "How Digital Certificates Work" below).

A Server ID from VeriSign provides the ultimate in credibility for your online business. VeriSign's rigorous authentication practices set the industry standard. VeriSign documents its carefully crafted and time-proven practices and procedures in a Certificate Practices Statement. And VeriSign annually undergoes an extensive SAS 70 Type II audit by KPMG. (The Statement of Auditing Standard 70, SAS 70, was established by the American Institute of Certified Public Accountants to certify trusted practices.) Employees responsible for dealing with certificates undergo complete background checks and thorough training. VeriSign has achieved its unsurpassed reputation as a trusted third party by paying as careful attention to physical security as electronic security. For example, the company's 22,000-square-foot plant where keys are issued has five tiers of security, the last three requiring fingerprint identification.

VeriSign's rigorous authentication practices, leading-edge cryptographic techniques, and ultra-secure facilities are designed to maximize your confidence in our services. These practices, technology, and infrastructure are the foundation for Server IDs to secure transactions working in conjunction with your Web server.

Secure your online transactions without hardware investment

VeriSign Server IDs work in conjunction with Secure Sockets Layer (SSL) technology, which is the industry-standard protocol for secure, Web-based communications. Your Web server is ready now to work with VeriSign Secure Server IDs if it's from Apache Freeware, C2Net, IBM, Lotus, Netscape, Microsoft, OpenMarket, or dozens of other vendors.

After you install your VeriSign Server ID and you manually activate SSL, a secure communications channel is created between your server and your customer's browser. Your site can communicate securely with any customer who uses Netscape Navigator, Microsoft Internet Explorer, or most popular e-mail programs. Once activated by your Server ID, SSL immediately begins providing you with the following components of secure online transactions:

Authentication- By checking your VeriSign Server ID, your customers can verify that the Web site belongs to you, and not an impostor. This bolsters their confidence in submitting confidential information.
Message privacy- SSL encrypts all information exchanged between your Web server and customers, such as credit card numbers and other personal data, using a unique session key. To securely transmit the session key to the consumer, your server encrypts it with your public key. Each session key is used only once, during a single session (which may include one or more transactions) with a single customer. These layers of privacy protection ensure that information cannot be viewed if it is intercepted by unauthorized parties.
Message integrity– When a message is sent, the sending and receiving computers each generate a code based on the message content. If even a single character in the message content is altered en route, the receiving computer will generate a different code, and then alert the recipient that the message is not legitimate. With message integrity, both parties involved in the transaction know that what they’re seeing is exactly what the other party sent.

The diagram below illustrates the process that guarantees protected communications between a Web server and a client. All exchanges of Server IDs occur within seconds, and require no action by the consumer.

VeriSign offers you two varieties of SSL Server IDs as part of its Secure Site services. Each variety enables different levels of SSL encryption power that vary

according to the browser version used by visitors to sites secured by the Server ID.

40-bit SSL Secure Server IDs (included with VeriSign’s Secure Site and Commerce Site Services) enable 40-bit SSL sessions when communicating with export-version Netscape and Microsoft Internet Explorer Web browsers. Export-version browsers are used by over 50 percent of Internet users. 40-bit SSL is strong enough for most intranets and lower-volume Web sites. But when communicating with domestic-version Web browsers, Secure Server IDs enable super-strong 128-bit SSL encryption, the world’s most powerful. 128-bit SSL encryption has never been broken: according to RSA Labs, it would take a trillion-trillion years to crack using today’s technology.

128-bit Global Server IDs (included with VeriSign’s Secure Site Pro and Commerce Site Pro Services) automatically ensure a minimum level of 128-bit SSL encryption when communicating with both domestic and export versions of Netscape Communicator and Internet Explorer. The encryption power of 128-bit SSL Global Server IDs make them ideal for sites that exchange sensitive, personal information, such as credit card numbers, with customers. VeriSign is one of the only providers authorized by the U.S. Department of Commerce to sell 128-bit SSL IDs in the U.S.

The ultimate result of a VeriSign Server ID on your site: safe online transactions that protect customers and your business. Customers gain confidence that they are sending their personal information to a legitimate business and not an impostor. In turn, you know that your company is receiving accurate information that the customer cannot later refute.

Make online commerce easy for your customers

Installing VeriSign Server IDs not only makes e-commerce safer for your customers; it actually makes it easier to submit information, such as a credit card number, over the Internet. The Netscape Navigator and the Microsoft Internet Explorer browsers have built-in security mechanisms to prevent users from unwittingly submitting their personal information over insecure channels. If a user tries to submit information to an unsecured site (a site without a Server ID), the browsers will, by default, show a warning, which can make the purchase process seem threatening.

In contrast, if a user submits credit card or other information to a site with a valid Server ID and an SSL connection, the warning does not appear. The secure connection is seamless, making the online shopping experience more pleasant. In addition, when you install a VeriSign Server ID, the 100 million prospective customers with Microsoft and Netscape browsers are reassured that they are shopping on a secure site. Visitors can be sure that transactions with your site are secured by looking for the following cues:

The URL in the browser window displays “https” at the beginning, instead of http.
In Netscape Communicator, the padlock in the lower left corner of the Navigator window will be closed instead of open. Netscape users can also follow these steps to see what level of encryption is protecting their transactions with your site:
- Go to the Web site you want to check.
- Click the Security button in the Navigator’s toolbar. The Security Info dialog box indicates whether the Web site uses encryption.
- If it does, click the Open Page Info button to display more information about the site’s security features, including the type of encryption used.
In Internet Explorer, a padlock icon appears in the bar at the bottom of the IE window. IE users can find out a Web site’s encryption level by following these steps:
- Go to the Web site you want to check.
- Right-click on the Web site’s page and select Properties.
- Click the Certificates button.
- In the Fields box, select “Encryption type.” The Details box shows you the level of encryption (40-bit or 128-bit).