Should I Be Concerned if GlobalSign Is My CA Provider?
If anything, I would be reassured if GlobalSign were my CA. They have publicly stated that they are taking the situation seriously. The reality is that certificate authorities are in the business of Internet security, and as a result are constantly defending against hackers. In addition, Comodohacker has claimed that they have access to GlobalSign's systems, and this claim has yet to be properly verified by the company.
What Factors Should Be Considered When Choosing a CA Provider?
There are many certificate authorities out there, and choosing one over another can be difficult. There are several factors to consider when making the choice. The extent of the identity verification when the certificate is initially issued is a very important factor. Certificate authorities should not just trust the information given to them by companies, but consult third-party records such as Dun & Bradstreet for independent verification.
Cost is another factor. A bargain-basement certificate authority simply does not have the funds for the resources needed to guard against security threats. In the case of a cheap Internet security certificate, you really do get what you pay for. Most certificate authorities will offer appropriately priced solutions for smaller businesses. If the price is too low when compared to similar companies, alarm bells should go off and you should investigate further before purchasing the cheap solution.
You should also consider who will be performing installation and installation costs. If you are not technically inclined, chances are good that the CA will offer an installation service. These should be factored into any quotes.
Test Before You Buy
Certificate authorities will gladly give you examples of companies and websites that are using their services. Test a few of them using Chrome, Firefox, and Internet Explorer to make sure that each browser accepts their certificate. Go with the company with the least amount of issues with their certificates.
GlobalSign made the right choice to suspend new certificates based on Comodohacker's threat. It put their company in front of the problem and positioned them as a company that could be trusted to manage security threats properly. I would be much more concerned if a certificate authority did not show the same level of concern or any concern at all. The Comodohacker and other such threats do not diminish the role of security certificates. If anything, they illustrate the dire need for such a service, especially in today's hacker-ridden climate.
Sign up for Computerworld eNewsletters.