The man behind the curtain of internet security

Making a good first impression goes a long way in the world of business and for many consumers, a company’s website is the first thing they see. However, with the recent move from HTTP to HTTPS, Google has begun to label websites without an SSL certificate as “not secure” in its Chrome browser.

Ultimately this can hurt the impression a website leaves on potential customers and could even encourage them to choose a different product or service instead of yours.

To better understand the ins and outs of the current state of the certificate industry, TechRadar Pro spoke to Sectigo’s CEO Bill Holtz.

Can you speak about your business’s sales and channel growth in the past year?

This year, we brought on a veteran enterprise sales head, whose team has made a huge impact on the business in a short amount of time. Beyond our SSL certificates, we have seen adoption across all sectors, from banking to retail, for our IoT Manager and Certificate Manager platforms. Both of these solutions automate the discovery of all certificates — private CA and public (not just Sectigo-issued) — and enable companies to manage and renew ALL of their certificates from a single dashboard, helping to ensure no disruptions. Our enterprise team is also offering best-practice insight about private CA policies, adding value along the way.

Our reseller channel, which remains the company’s largest revenue stream, has been growing worldwide. We are up to 20,000 strategic partners spanning every continent. Some of our partners include BlueHost, Gandi, InternetX, NameCheap, OVH, and SSL247. We announced many new partners in March as well.

Google and other tech firms have been pushing HTTPS quite a lot in recent months. Why is this not enough for business websites and how are your EV certificates different?

Google has decided to require SSL on all pages of all websites, regardless of whether or not they take transactions or share sensitive information. Any page accessed in Chrome that does not have an SSL certificate will receive a “Not secure” warning in Chrome. It is widely believed that this warning will stifle transactions and other web site usage and will create a negative user experience. Businesses have been scrambling to implement SSL certificates to remove this message.

Sites have the opportunity to further improve the impression they make online by adopting Extended Validation (EV) SSL certificates. These certificates cause the company name to display in the address bar of desktop browsers, often in green. Research shows that site visitors viewing these “green address bars” are more inclined to believe that an online business is secure, stable, and trustworthy, with high-quality customer service. Businesses seeking to offer the best online impression can use EV certificates to help do exactly that.

How are your company's EV certificates being used to fight phishing?

EV SSL is an important component in any online business’ fight against phishing. With free Domain Validation (DV) SSL certificates now available, phishing attacks using certificates have risen exponentially as they can now display their phishing site as “Secure” in hopes that victims will think the web site is safe.

A browser’s definition of secure (which really means encrypted) is not the same as the common definition of safe. That’s why more businesses are relying on EV certificates to up their levels of both consumer protection and confidence online. To be effective, a counterfeit website needs to be as similar to the real thing as it can be - and counterfeiting websites is extremely easy. The full HTML of the site is there for the scraping, making it a very small trick to present a site that, inside the HTML display window, looks exactly like the real site in question.

By placing an identifier of the site operator’s genuine identity in the interface of the browser, EV SSL complicates the phisher’s task considerably. Only the true content of a CA’s trusted EV certificate

displays adjacent to the address bar. Therefore, a phisher is forced to present a site with a clearly visible difference from the real thing. That gives the user a chance to spot the difference and know the real from the fake.

How are certificates being used to help secure IoT networks?

To the end customer, certificates provide the basis for strong authentication of devices on IoT networks. The Mirai botnet is an example of the problem of weak authentication provided by static credentials such as username/password authentication as well as static shared secrets burned-in at the point of manufacture. We understand that manufacturers are under pressure to get their IoT products to market quickly and for that reason we have a cloud based issuance platform that is built with IoT in mind. There is no longer a commercial reason to forego strong security in IoT devices.

From a supply chain perspective, it is vital to ensure that parts from source vendors are genuine. Third-party-issued certificates can replace manufacturer certificates for devices coming from untrusted manufacturing plants, or enable trust between third parties that are part of a supply chain.

How do you see the certificate industry evolving in the future?

Certificates are going everywhere. They are safe and reliable, compared to shared secrets, user IDs and passwords, and tokens. Even biometrics use certificates as the underlying technology. Certificates on the web will evolve, driven by automation and innovation that redefine prices and presumed norms. Customers will look for certificate lifecycle management from one pane of glass for all their certificates and devices. Certificates, coupled with their reputation, will become the norm — which also means that certificates used for nefarious purposes must be quickly identified and removed from service.

It’s also important to consider the role of certificates in a world of connected devices. From an end user perspective, the slow uptake of security in IoT devices has prompted governments to regulate. Nations (and more U.S. states) will follow California’s lead and enact legislation requiring security for IoT networks. This is particularly important for healthcare, transportation, energy, and manufacturing sectors, which face the highest risk. The legislation stops short of prescribing strong forms of authentication — but thankfully, consortium groups such as the Open Connectivity Foundation and AeroMACS have championed the use of strong certificate-based authentication in their best practice standards for IoT.

The bad guys are constantly evolving, warranting best-practice device provisioning and agility to swap current cryptographic algorithms with those that will supercede them in the future. This will be vital within the lifespan of the devices being deployed to customers.

At the end of the day, security will remain a layered solution, and certificates are one layer. There is no silver bullet.

Can you tell us anything about Comodo's upcoming rebranding and the future of its business?

On November 1st, 2018, Comodo CA becomes Sectigo. Our rebrand limits confusion between Comodo CA and our former parent organisation, Comodo Group, but it also signifies a new era for our company. During the past year, we have expanded beyond our digital certificate business, releasing IoT Manager, and acquiring CodeGuard, a leader in website backup and recovery. We are already

building on our SSL legacy as the world’s largest commercial certificate authority, to become the world’s most trusted, innovative, customer-centric partner for protecting organizations’ identities and connected devices. We will rethink and push industry norms, delivering innovations and greater automation that help everyone — from the biggest brands to the smallest websites — secure their operations today, so that they can confidently seize the opportunities of tomorrow.

What technology has had the biggest impact on the IT industry during your 20-year career?

The web, coupled with mobile computing, has transformed IT. The access to information anytime and anywhere has changed how people think, work, play, invent, socialize, and monetize. These enablers have in turn given rise to Big Data, one-to-one marketing, cloud computing, social media, and more. These advancements have changed society, the business world, family interactions, removed barriers in commerce, and given rise to mammoth non brick-and-mortar-based enterprises. It is hard to imagine the world that was before these things.

Bill Holtz, CEO of Sectigo

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.