Regulated personal data is at greater risk of being compromised
when applications aren't properly secured. Take proper measures
using these tools to protect sensitive data.
Transport Layer Security (TLS) protocol allows applications to
communicate across a network in a way designed to prevent
eavesdropping, tampering and message forgery. It's a successor to
the Secure Sockets Layer (SSL) protocol that many of us are
TLS provides endpoint authentication and communications privacy
over the Internet using cryptography. Typically, only the server is
authenticated (i.e. its identity is ensured) while the client
remains unauthenticated; this means that the end user (whether an
individual or application, such as a Web browser) can be sure with
whom it is communicating. The next level of security—in which
both ends of the "conversation" are sure with whom they are
communicating—is known as mutual authentication. Mutual
authentication requires public key infrastructure (PKI) deployment
to clients, unless TLS-PSK or the Secure Remote Password (SRP)
protocol are used, which provide strong mutual authentication,
without needing to deploy a PKI.
If you think about it, a general SSL certificate should
"prove" that you’re seeing an authentic website. The reality
is that pretty much anyone can get an SSL certificate at no cost,
without proving anything. The only validation is that the
"hostname," also known as the Fully Qualified Domain Name (FQDN) in
the certificate matches what the browser says. Spammers buy domains
and then get certificates for them, as no real validation occurs.
For example, www-paypal.com (note the dash after www) can
get an SSL certificate that will show up as valid to a user. All an
SSL certificate proves is that the URL matches the certificate.
Many people fail to carefully check that the URL is sending them
where they expect to be going, which leads to successful phishing
Extended Validation (EV) Certificates are basically SSL
certificates that require a more detailed background examination of
the requesting entity. They require an establishment of a legal
identity, so the applicant needs to own the domain, with all
required documents signed by an authorized official. In short, it
requires the sort of procedure that an SSL certificate should
require in the first place.
OpenID is an open, decentralized, free framework for managing
your digital identity. OpenID takes advantage of already existing
internet technology (URI, HTTP, SSL, Diffie-Hellman) and realizes
that people are already creating identities for themselves whether
it be at their blog, photostream, profile page, etc. With OpenID
you can easily transform one of these existing uniform resource
identifiers (URI) into an account, which can be used at sites which
support OpenID logins.