As more and more businesses are moving to online transactions and interactions. Many companies are looking for more profits but at the expense of web security !! The SSL security is one area which gets the axe first. Generally this security gap is filled by Self-Signed certificate but here is a small guide on risks you would follow if you use one.
Many companies follow the homegrown SSL policy. They build self-signed certificates and deploy the same for their intranet and internet hosted sites. Moreover, they instigate a habit into the employees and the client to ignore the insecure icon on the bar. This is a very dangerous practice of promising customers who have been interacting or transacting online.
Doing so, however, puts the organization in a very vulnerable position. Both with respect to security breaches and customer shying away. This also encourages a dangerous public browsing behavior amongst the employees and clients. IT personnel in many companies have a mindset that the website, when accessed internally, can never compromise because the threats are always from outside. Employees who accustomed to ignore any insecure signs or icons on the browser do the same on the public websites too. This at-large effects the company’s security and makes it vulnerable to malware and other brand tarnishing threats.
Compromised Private Key poses a big threat to the organization. CA’s can go ahead and revoke the certificates issued by them. But in case of Self-signed certificates, organizations cannot revoke them. Instead, they replace it with another self-signed certificate. This inability to rapidly revoke the private keys can open the doors to major threats.
In order to avoid the risks mentioned above, one must use SSL Certificates provided by the trusted brands like DigiCert, Comodo, Entrust, etc. The SSL Certificates issued by these brands are trusted globally by all the major browsers and removes the scare from the minds of the customers. This infuses a sense of security amongst the people who are accessing the websites. With adoption of this plan, the website owner at least will not get a chance to cry foul when their website is attacked and the customer credentials are compromised due to Self signed certificate.