SSL Product and Features FAQ

Encryption is a mathematical process of coding and decoding information. Encryption ensures that information is scrambled in transit so that only the intended recipient can decode it. The number of bits (40-bit, 56-bit, 128-bit, 256-bit) tells you the size of the key. Like a longer password, a larger key has more possible combinations. In fact, 128-bit encryption is one trillion times one trillion times stronger than 40-bit encryption. At current computing speeds, a hacker with the time, tools, and motivation to attack would require a trillion years to break into a session with 128-bit encryption. SSL Certificates with server-gated cryptography (SGC) enable 128- or 256-bit encryption for over 99.9% of Internet users.

Authentication is 3rd party verification of a Web site's identity to establish trust. Before Web visitors share username and password, payment information or other personal data, they need to know that they can trust the Web site requesting it. A company logo or brand name is not enough. These can be faked. To protect against fraud and phishing sites, Web visitors look for proof that your business entity and Web site are legitimate. This can be provided by a VeriSign (Symantec)® SSL Certificate. Similar to the way a government agency verifies a birth date before issuing an identification card, an SSL provider (Certificate Authority) verifies an organization's right to use a domain name and other required identification information. SSL Certificates are uniquely issued to a specific domain and Web server.

VeriSign (Symantec) SSL Certificates with additional trust features offer more than encryption and authentication for your online business. Our SSL Certificate, daily Web site malware scanning and vulnerability assessment (available with Extended Validation EV SSL Certificates provide all the benefits of the Advantage SSL Certificates while also includeing prominent new trust indicators like a green address bar. and Pro SSL Certificates) work together to secure your site and help defend against attacks. The VeriSign (Symantec) Trust™ Seal and Seal-in-Search™ technology help drive traffic to your site and reduce abandoned transactions by assuring your customers that your site is safe from search to browse to buy.

The VeriSign (Symantec) Trust Seal is a dynamic, animated graphic that displays on Web pages secured by VeriSign (Symantec) SSL Certificates and Web sites authenticated by VeriSign (Symantec). When users click the VeriSign (Symantec) seal, it opens a VeriSign (Symantec)-generated verification page containing information about your VeriSign (Symantec) SSL Certificate, your organization, and the status of your malware scan. The VeriSign (Symantec) seal, the most recognized trust mark on the Internet, is viewed up to 650 million times per day on over 100,000 Web sites in 165 countries and in search results on enabled browsers as well as partner shopping sites and product review pages.

VeriSign (Symantec) SSL Certificates provide more security and trust at no additional cost. An automatic vulnerability assessment (included with Extended Validation and Pro SSL Certificates) identifies the most exploitable weaknesses on your Web site. Daily Web site malware scanning (included with all VeriSign (Symantec) SSL Certificates) alerts you if your Web site is infected with malicious software. The combination helps extend security beyond https to your public-facing Web pages and reduce the risk of being blacklisted by Google or other search engines. Seal-in-Search displays the VeriSign (Symantec) Trust Seal next to your link on browsers enabled with a free plug-in as well as on partner shopping sites and product review pages. The seal differentiates your link in search and shows that malicious code has not been detected in a daily malware scan.

When a browser connects to a server, the server sends the identification information to the browser. To view a Web sites' credentials do one of the following:

• Click the closed padlock in a browser window
• Click the trust mark (such as the VeriSign (Symantec) Trust™ Seal)
• Look in the green address bar*

*Only SSL Certificates with EV trigger high-security Web browsers to display your organization's name in a green address bar and show the name of the Certificate Authority that issued it.

Most Web site users do not know which Certificate Authorities to trust so they rely on their Web browsers to help them. An SSL Certificate issued by a Certificate Authority that a Web browser does not recognize or trust will generate a security alert. As the leading Certificate Authority, VeriSign (Symantec)® SSL Certificates work with virtually all popular Web browsers used since 1996.

When you request an SSL Certificate, VeriSign (Symantec) verifies the existence of your business, the ownership of your domain name, and your employment status or authority to request the SSL Certificate. We may require official government documentation proving your right to do business. These may include:

• Articles of Incorporation
• Certificate of Formation
• Charter Documents
• Business License
• Doing Business As
• Registration of Trade Name
• Partnership Papers
• Fictitious Name Statement
• Vendor/Reseller/Merchant License
• Merchant certificate

Our authentication and verification procedures are based on more than 15 years of practice authenticating commercial businesses. These procedures are audited annually by KPMG using Statement of Auditing Standard 70 Type II, established by the American Institute of Certified Public Accountants.

VeriSign (Symantec) first tries to authenticate your company's management responsibility through publicly available domain name registration information. If we cannot automatically authenticate your domain name control, we require an authorization letter from that domain's owner. This step prevents applicants from fraudulently or accidentally obtaining SSL Certificates for domains that do not belong to them.

Authentication for new certificates could take as little as 1 hour or up to several days, depending on the verification information you provide and whether or not your certificates are pre-approved.

• If your organization is the legal holder of the domain, you can expect to receive your certificate within 1 hour of your request.
• VeriSign (Symantec)® Trust Center Enterprise Account stores pre-approved domain, organizational and contact information. When you submit a certificate request that contains the authenticated information, VeriSign (Symantec) instantly issue your certificate.
• Processing times for EV SSL Certificates may take longer due to additional verification requirements mandated by the Extended Validation (EV) SSL Guidelines.

In 2006, the CA/Browser Forum, a group of leading SSL Certificate Authorities (CAs) and browser vendors, approved Extended Validation (EV) SSL Guidelines, standard practices for certificate validation. To issue an EV SSL Certificate, a CA must adopt the EV practices and pass an audit. Browsers were enhanced to make it easy for Web site visitors to recognize the higher standard of EV SSL. A site secured by an SSL Certificate with EV triggers high-security Web browsers to display the organization’s name in a green address bar and show the name of the Certificate Authority that issued it. The browser and the Certificate Authority control the display, making it difficult for phishers and counterfeiters to hijack your brand and your customers.

In addition to our standard verification requirements, a legal opinion letter may be required to confirm that the requestor has the authority to obtain SSL Certificates on behalf of the company. The legal opinion letter also may be used to confirm the organization registration, organization address, telephone number, domain ownership, and the organization’s business status. The physical address may be confirmed by a physical site visit if necessary. Once confirmed, the requestor may purchase additional SSL Certificates based on the original letter. If a legal opinion letter cannot be obtained, our Certification Practice Statement outlines alternate authentication and verification processes.

The CSR is a string of text generated by your server software. You provide this string of text to VeriSign (Symantec) during the enrollment process to enable VeriSign (Symantec) to issue an SSL Certificate unique to your Web server. You will need to know what kind of server software is running on your Web server to generate a CSR.

Sharing certificates on multiple servers increases risk of exposure. Auditing becomes more complex, reducing accountability and control. If a private key becomes compromised, it can be difficult to trace and all servers sharing that certificate are at risk. Because sharing certificates degrades security, the VeriSign (Symantec) certificate subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased additional server licenses. VeriSign (Symantec)’s licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators.

Multi-Domain SSL certificates allow for multiple host names (i.e. domain names, or common names) to be secured via that single certificate. Each addition host name is referred to as a Subject Alternative Name (SAN The Subject Alternative Names (SAN) extension allows one SSL certificate to be used to secure one Web server with multiple names (such as a different DNS name, IP address or URI).). Securing multiple host names with one certificate is a very cost effective way of providing SSL encryption to a number of sites, although note that all sites (or SANs) must be hosted on the same web server.