Trust is difficult to quantify. While it is a word we are all familiar with and use practically every day, the internet provides many challenges for those of us looking to trust where we can disclose our personal information and fully understand with whom we are communicating to give that trust. Welcome to the world of certificate authorities (CAs) and internet browsers.
Google Chrome, Mozilla Firefox, Apple Safari and Microsoft Edge are the most well-known browsers we use to make purchases, view health records, pay taxes and so much more. What many users do not know is there is a system in place in which browsers trust CAs and include them in their products. This enables encrypted web connections.
Perhaps you have noticed the green lock icon in the address bar while surfing the internet. This is possible because a CA has issued a certificate to the entity controlling the website and that CA is trusted by the browser. Some degree of technical magic takes place behind the scenes where this trust is confirmed, and the lock is displayed.
Merchants need to secure their domain or site in order to collect sensitive data (payment card information or personally identifiable information) - and this is also required for compliance with key compliance mandates, such as the Payment Card Industry Data Security Standard or the General Data Protection Regulation.
How does a CA become trusted by a browser? Each browser maintains a root store policy that is publicly available on its respective company web pages. These policies outline the requirements a CA must complete to gain and maintain trust. Generally, an independent, third-party audit must be completed to confirm all the requirements have been met. Once the audit is complete without issues, the CA must apply to each browser's root store, per the inclusion requirements. Yearly audits continue to maintain trust. From the start of the process as a new CA until ultimately being added to the browser root store can take years. Trust is not easily attained. It is, however, quickly lost without diligence.
The importance of digital certificates continues to grow, as Google helps lead the push for a fully encrypted internet. Beginning this summer, the Google Chrome browser will show websites without certificates to be "Not Secure" in the address bar. If you have a website, be sure to get a digital certificate to avoid it displaying this message and likely losing trust from your users.
CAs must maintain trust with other parties as well. A community of security researchers and interested parties regularly discuss CA activities. And there are public discussion groups which address topics such as mis-issued certs, policy updates and best practices. The Mozilla Dev Security Policy group is a notable example. Through policies, browser manufacturers require that CAs follow these discussions to maintain trust. They are also required to report issues and confer about remediation steps/schedules for issues that have been identified.
The Trustwave CA story is one with a long history. It has been a trusted CA for more than 10 years. Trustwave is Webtrust audited every year. It is a founding member of the Certificate Authority/Browser (CA/B) Forum and is an active participant in industry best practice discussions.
Learn more about Trustwave digital certificates.
Frank Corday is associate product manager for SSL at Trustwave.