- Website Security
State of the Art Security
jbbowlingsupply.com uses the latest in security certificates. We use Extended Validation SSL Certificates issued by Network Solutions, one of the leading Certificate Authorities around today.
You can be sure that when you buy from us that your transaction will be safe and secure.
Frequently Asked Questions (FAQ) about our security certificates:
What is SSL?
SSL stands for Secure Socket Layer. Like TLS (which stands for Transport Layer Security), SSL is a security protocol that operates between a browser and a website. It provides confidentiality and data integrity by means of cryptographic techniques and, when used with a third party-issued certificate, it can report trustworthy information to one party about the other party. Typically, SSL is used to provide the browser and its user with trustworthy information about the website.
Cryptographic techniques provide confidentiality and data integrity protection for messages passing in either direction between the browser and the website. This prevents Internet Service Providers that handle the messages in transit from viewing or modifying the contents of the messages. It also mitigates attacks on the DNS, such as DNS cache poisoning and on the HTTP caching system, such as HTTP response splitting.
What is a Certificate?
A certificate (more properly called a public-key certificate in this context) is an electronic document that is signed by a certification authority (CA) asserting the binding between identifying information and a public key that can be used to authenticate the entity to which the identifying information applies. As a minimum, the identifying information includes a domain name, and the browser verifies that the URL displayed in its address bar is in the domain identified by the certificate.
The CA's public key can be used to verify its signature on a certificate. If the certificate is valid and the domain it contains includes the URL displayed in the browser's address bar, then the browser will display a padlock icon, indicating that a secure connection has been established between browser and website.
What is a Certification Authority?
A certification authority (sometimes referred to as a certificate authority) is a trusted third party that issues digital certificates. On the web, certification authorities (CAs) are typically separate business entities whose public keys are provisioned to the browser by the browser supplier. The CA accepts requests for certificates from website operators who provide the identifying information that they wish to have included in the certificate. The CA verifies the accuracy and applicability of the identifying information before including it in the certificate and returning it to the website operator. The website provisions the certificate to the browser within the SSL protocol.
What Standards Do Certification Authorities Have to Comply With?
Generally, in order to be accepted by a browser supplier, a certification authority (CA) must meet standards set by either the American Institute of Certified Public Accountants/Canadian Institute of Chartered Accountants (AICPA/CICA) or the (European Telecommunications Standards Institute) ETSI. The AICPA/CICA standard is called "WebTrust for CAs" and the ETSI standard is called "ETSI TS 101456 Policy requirements for certification authorities issuing qualified certificates."
These audit schemes impose requirements on the CA's systems, personnel and procedures. But, they do not currently prescribe the specific methods used by the CA to validate the identifying information that is to be included in the certificate.
With the introduction of extended validation certificates (EV SSL Certificates), WebTrust will be augmented to audit the CA's conformance with the extended validation guidelines.
What is a Domain-Validated Certificate?
A domain-validated certificate is an SSL certificate in which the validated identifying information contained in the certificate is limited to the domain on which the website is located. If a secure connection is established between browser and a website secured with a domain-validated certificate website, the browser displays the padlock icon.
What is an extended validation certificate?
An extended validation certificate (EV SSL Certificate) is a certificate issued in conformance with the extended validation guidelines defined by the CA/Browser Forum. The organizational identifying information and the name of the issuing CA receive prominent display in some browsers.
What are the extended validation guidelines?
The extended validation guidelines contain a set of requirements for the operations of certification authorities (CAs) that issue extended validation certificates (EV SSL Certificates). These requirements mostly govern the process of validating the identifying information that is to appear in an EV SSL Certificate. However, the guidelines also establish requirements for several other aspects of a CA's operations, including: insurance coverage, revocation services, cryptographic key parameters, personnel qualification, etc.
Why is there a need for extended validation certificates?
Because there are no generally-accepted standards for verifying the organizational information that is contained in some certificates, uncertainty has arisen in users' minds over the significance of the padlock icon. This confusion has been compounded by the growing practice of website operators to display padlock icons within the site contents. Furthermore, the URLs that commonly appear in browser address bars have become obscure and users can no longer use these to assure themselves that they are transacting with the website operator that they expect. Therefore, there arose a need to display trusted identifying information about the operator of the website, and to do it in a way that clearly indicated to users the identity of the business entity with whom they were doing business. This had to be done in a way that established minimum standards for the trustworthiness of that identifying information. Hence, the major browser suppliers and a group of certification authorities (CAs) came together to develop these minimum standards. At the same time, some browser suppliers developed user interface standards for displaying that information to emphasize its trustworthiness.
With these combined developments, it is expected that the web users who engage in sensitive transactions with their governments, financial service providers, health care providers, etc. will look for these new cues as part of their personal web use routine.
Extended Validation Certificates (EV SSL Certificate)
About EV SSL Certificates
The Extended Validation (EV) SSL Certificate standard is intended to provide an improved level of authentication of entities that request digital certificates for securing transactions on their websites. The next generation of Internet browsers will display EV SSL-secured websites in a way that allows visitors to instantly ascertain that a given site is indeed secure and can be trusted. A new vetting format, which all issuing Certification Authorities (CAs) must comply with, ensures a uniform standard for certificate issuance. This means that all CAs must adhere to the same high security standards when processing certificate requests. Consequently, visitors to EV SSL-secured websites can trust that the organization that operates the site has undergone and passed the rigorous EV SSL authentication process as defined by the CA/Browser Forum. Internet users thus will be able to trust that particular websites are what they claim to be, rather than fraudulent mirror sites operated by perpetrators of phishing schemes.
Allowing Internet users to instantly distinguish EV SSL-secured websites, new versions of the Internet's leading browsers will display EV SSL certificates differently than the standard "padlock" method used for existing types of SSL certificates. See below for examples of how the Internet Explorer 7 and Opera 8 browsers will be displaying EV SSL Certificates.
EV SSL certificates will prove particularly useful for companies whose Internet domains are considered at a high risk of being targeted by phishing schemes and other types of Internet fraud. High-risk domains include domains owned by high-profile online financial services, banking sites, auction sites, popular retailers and other sites that conduct Internet transactions likely to be targeted by Internet fraud.