What's Behind the Padlock?

What's behind the A https://www PADLOCK? GRANTING A CERTIFICATE TO A COMPANY BEFORE THE SECURE SESSION REQUEST. CA CA MERCHANT The merchant creates a public and private key and sends the public key to the CA. The CA reviews the merchant's legal documents. CA CA MERCHANT The CA reviews the merchant's The CA verifies that the merchant status through online resources has the private key CA CA CERTIFICATE MERCHANT If approved and payment is received, the CA "signs" the merchant's info and public key. The CA checks the merchant's public key. ONE When visiting a website, the BROWSER browser receives the merchant's certificate and uses it to verify that the mer- chant has the key that the CA signed. TWO BROWSER The browser validates that the certificate is for the merchant and was signed by a CA on an approved list BROWSER THREE CA The browser ensures that the certificate has not ex- pired or been revoked. FOUR BROWSER The browser or application responds accordingly: For certificates that fail the above checks, it warns the end user, who can decide if they want to continue with the transaction. If the certificate passes all checks, the browser sets up a secure session, encrypt- ing all traffic between it and the merchant. It adds a padlock symbol and "https" to the URL address bar, and proceeds with the transaction. https OTHER PROCESSES 1. Before this, the merchant has to install the certificate on their servers 2. The CAs employ strict physical and cyber security measures within their operations: Restricted access Strict cyber controls ( firewalls, intrusion detection, to the physical data center etc.) to protect their signing keys https://ww If a merchant's site doesn't have a certificate, you can't be sure that you're really visiting that merchant's site. And any info you send to the site like passwords and credit card numbers will not be private, like mail- ing a postcard. If the merchant's site has a certificate but the browser validation checks fail, you should think twice about continuing with the transaction. There might be a security problem with the merchant's site, you may not be visiting the real merchant's site, or an attacker might be interfering be- tween you and the merchant. For more information go to https://casecurity.org A. CA Security COUNCIL STATUS LEGAL