Missed our .ORG Webinar? We’ve got you covered. Below you’ll find a recording of the live presentation as well as links to the downloadable .ORG Toolkit and Webinar PDF.
Watch the .ORG Webinar
Update: Our latest Digicert Webinar covers the importance of authentication in SSL, and how it’s a key factor in properly marketing and selling certificates:
Browsers have evolved to offer a better user experience and greater attention to security. Perhaps most importantly, they now display a security warning to users when they land on a website that lacks encryption:
This is a step forward to a safer Internet, but encryption is only part of the security equation.
Without a means to verify the owner of that website, the user can’t be sure who they are sending their information to.
When SSL certificates were first introduced, they served both these critical purposes:
1. Encrypting the data in transit
2. Authenticating the website to which the data is being sent
They were issued by a small handful of Certificate Authorities (CAs), accredited and compliant third parties able to provide both encryption and authentication of your website.
But as the Internet grew, so did the number of CAs in the market, and the variety of SSL options. And what was the main differentiating factor among these certificates? The level of authentication they provided.
Today, SSL products range from free “encryption-only” certificates, which can be registered in a matter of minutes, to Extended Validation (EV) SSL certificates, which, as their name suggests, involve a thorough validation (authentication) process as part of their registration.
When choosing an SSL certificate for your site, or helping a customer select one for theirs, your main question should be: what level of authentication do I need? After reading this blog, the answer will be clear.
DV certificates are often described as “encryption-only” because they don’t provide confirmation of who the website owner really is. To register a DV certificate, the website owner simply needs to prove ownership of the domain name(s) they are trying to secure.
Think of a DV certificate like a library card: they are easy to obtain and aren’t considered a credible form of identification.
These certificates are sufficient if you’re securing a page just to maintain browser compliance (and avoid those warnings), or if you’re hosting a site that purely provides information and you want it done securely.
Before issuing an Organization-validated certificate, the Certificate Authority vets the organization and individual applying for the certificate. If a website visitor chooses to view the OV certificate, they’ll find this verified company information included in the details.
You can think of an OV certificate like a driver’s license: obtaining one involves a bit more hoop-jumping, but they are better trusted as a form of identification.
If you collect any basic personal information from your users, for example, login credentials, they’ll likely want to know who they are sending this information to. An OV certificate from a reputable CA may provide sufficient authentication and assurance in these cases.
However, Extended Validation certificates (see below) are often a better fit for e-commerce pages or business-critical sites where consumer trust is particularly important.
Extended-validation (EV) certificates involve the most rigorous authentication process and, consequently, provide the highest level of assurance to website visitors.
What’s more, as mentioned above, they do this in a very obvious way: a green address bar that includes the name of the company. Finally, the CA Browser Forum, the SSL industry’s governing body, sets specific guidelines to govern the registration and authentication process for EV certificates.
These factors combine to make EV certificates the gold standard, and the assurance they provide becomes ever more essential as the average Internet user becomes savvier and security standards rise.
Continuing with our analogy, EV certificates can be thought of as passports: they are internationally recognized as the most trusted way to verify a website owner’s identity.
We recommend using an EV if you’re looking to establish a high level of consumer trust or collecting sensitive information, which could range from login credentials to national identifiers, to credit card information. While not all browsers treat EV certificates the same way, for users, the additional visual cues can inspire trust and confidence to proceed with the transaction or activity.
Our partners at DigiCert have some great resources to help you educate your customers and help them find the right fit. Through your partnership with us, you have access to an array of brands and certificate types to help make sure you properly meet the needs of your specific customer for their specific project. You can view our SSL offering here.
This post was sponsored by DigiCert, an Enom partner, and leading Certificate Authority.
Guest Author: Alisha Shibli.
Alisha is a Content Marketing Specialist at Radix, the registry behind some of the most successful new domain extensions, including .STORE and .TECH.
Please note: The views expressed in this piece are the author’s own and do not necessarily represent those of Enom.
When it comes to registering a domain name, it’s easy to get overwhelmed. After all, when you’re building a business or starting an online venture, you want to ensure that all factors are working to your advantage. The process of choosing the right domain name is a lot less daunting when you know the basics. So today, we’re tackling some of the most common questions asked by domain name buyers. The information here will also be handy for resellers looking to educate their customers.
Websites and domain names are closely related, but they’re two different things. You can think of your website as your house and your domain name as its address. In order for someone to access your website, they need to know its domain name.
Every domain name has two basic parts: the “top-level domain” (TLD) and the “second-level domain.” For example, in the domain name [yourbrandname].tech, “.TECH” is the TLD and “yourbrandname” is your second-level domain. Together, these form a complete domain name.
Your domain name will usually include your brand name or the name of a particular sector or product that you’re promoting. When choosing a domain name, you’ll realize there are now numerous TLDs available such as .STORE, .PRESS, .SPACE, .ONLINE, .WEBSITE, .SITE, etc. So, make sure you choose whichever brands your business best.
What some businesses don’t realize is that choosing a domain name is one of the most important decisions they make when establishing their online presence. The domain name is more than just a glorified IP address. It is important for search engines and for customers. Moreover, it is an incredible branding tool, which is why it is crucial to choose a name that adds value to your business and will help you stay relevant even a decade later.
Here are a few factors to keep in mind when choosing a domain name for your business:
You don’t just have to stick to one domain name! Using multiple TLDs in interesting ways can create memorable customer interactions with your brand, or, perhaps, promote your personal side-project alongside your primary business. Here are some of the many ways one can make use of new domain names:
Let’s first clarify the difference between these terms.
Generic top-level domains (gTLD) are, as their name suggests, generic. They have a broad application based on the purpose of the website. For example, .COM (commercial), .ORG (organization), .NET (networks), .EDU (education), etc.
Country code top-level domains (ccTLD) are regulated by a specific country and are best used to target customers within that country. Some examples include. US, .CA (Canada).TR (Turkey) .IN (India), .CO.UK, .AE (UAE), .DE (Germany), .FR (France), etc.
GeoTLDs are similar, but they are tied to a specific region, rather than a country. City extension like .NYC or .LONDON as well as options like .AFRICA and .ASIA exist.
New generic top-level domains (nTLD), which are sometimes just referred to as “new TLDs” are recently launched generic domain extensions.
They tend to be more industry- or product-specific, so their adoption has the potential to make the Internet more organized and business-friendly. Some other examples of nTLDs include .STORE for eCommerce and retail, .TECH for technology, .FUN for leisure, .PRESS for media and news.
Plus, there are many with universal appeal, like .ONLINE, .SITE, etc. In fact, .ONLINE and .SITE have become so popular that over 1 million domain names have been registered on each of these extensions so far. And these nTLDs are still relatively new, you are likely to find that your perfect domain name is available on one of them!
When it comes to choosing the right domain extension for your domain name, you need to look at the nature and purpose of your business. For example, if you have a tech business, then a .TECH domain would be an ideal choice.
With the information above, you are well-equipped to make an informed choice. Get started with a search for your perfect domain name.
On May 17, 2018, ICANN issued a “Temporary Specification for gTLD Registration Data,” the purpose of which is to provide ICANN’s contracted parties (registrars and registries) a path towards compliance with both ICANN contractual requirements and the GDPR. This involved the introduction of numerous registrar requirements, aimed at resolving points of conflict between ICANN’s Registrar Accreditation Agreement (RAA) and the GDPR. Here, we’ll highlight those requirements that are most relevant to our resellers, provide our stance on the Temporary Specification, and discuss some related upcoming features being added to the Enom platform.
To understand what makes the Temporary Specification unique, it’s important to understand how ICANN policy is typically developed. Normally, any policy that is binding on contracted parties (registrars and registries) is developed by a bottom-up, participatory process, taking input from all stakeholders and interested contributors, along a defined path called a “policy development process” (or “PDP”).
The output of a PDP is presented for public comment, refined, and then presented to ICANN’s Generic Names Supporting Organization (GNSO) Council for a vote. After a policy is approved by the GNSO Council, it is presented to the ICANN Board for final review and approval. Only after the ICANN Board approves the policy does it become binding on registrars and registries through a contractual provision in the above RAA.
The Temporary Specification was issued as an “emergency policy,” meaning it was adopted by a super-majority of the ICANN Board and bypassed the normal policy development process. Emergency policies must be re-approved by the ICANN Board every ninety (90) days and can exist for no more than one year. The idea is that one year provides sufficient time for the ICANN community to develop a permanent policy along the normal, bottom-up development path. The Temporary Specification was adopted on May 17, 2018 and will expire on May 16, 2019.
The Temporary Specification includes a long list of items that registrars “must” or “shall” implement in order to be in compliance with their Registrar Accreditation Agreement, many of which are pulled directly from, or are heavily based on, the GDPR itself.
Here are some of the highlights, specifically those most relevant to resellers and registrants, with a note about any related changes we’re making within the Enom platform.
1. Redact personally identifying information from the public Whois output when (a) the registry or registrar is located in the EU; or (b) the registrant is located in the EU; or (c) the registry or registrar uses a data processor located in the EU for the registrant’s personal data. The redacted fields must say something like “REDACTED FOR PRIVACY.” (Temp. Spec. Appendix A Section 2)
Enom’s approach: As of May 25, 2018, Whois lookups results for all domains on our platform have returned “Data Protected” in place of any personally identifying information. However, we haven’t just limited this practice to the specific cases listed above; the redaction of personal data in the public Whois is our default for all domains on our platform.
2. Provide a method for third parties to contact the registrant through an anonymized email or web form. (Temp. Spec. Appendix A Section 2.5)
Enom’s approach: We plan to launch a Whois Contactability service that will allow the registrant to be contacted through a hosted web form. We’ll provide more details in the next few weeks.
3. Provide a means for the registrant to consent to have their contact details displayed in the public Whois, instead of the “Data Protected” notice mentioned above. (Temp. Spec. Section 7.2.1)
Enom’s approach: We’ll soon be launching a Whois Publicity service that allows registrants to opt into the display of their personal data in the public Whois, details of which will be released in the coming next weeks.
4. Implement Tiered Access to full Whois data, so that third-parties with a legitimate interest in access to a registrant’s personal data (such as law enforcement agencies) can review that data when necessary and appropriate. (Temp. Spec. Appendix A Section 4)
Enom’s approach: We’ve built a Tiered Access Directory — or “gated Whois” — that accomplishes this.
5. Provide mandatory disclosures to registrants detailing who has the registrant’s personal data, how it is processed, when and why a data transfer crosses international boundaries (if applicable), and the specific reasons that data is collected and transferred, among other subjects. (Temp. Spec. Section 7.1.)
Enom’s approach: This information is easily located on our Data Use Information Page
6. Comply with a new transfer policy, described in Appendix G to the Temporary Specification.
Enom’s approach: The domain transfer process changes we announced on April 30, 2018, anticipated the new transfer policy outlined in ICANN’s Temporary Specification. No further changes are needed.
7. Implement and observe Service Level Agreement (SLA) standards for Registration Data Access Protocol (RDAP), otherwise known as the successor to the WHOIS protocol. (Temp. Spec. Section 5.2)
Enom’s approach: These Service Level Agreement standards are not yet finalized, but Enom has played an active role in the RDAP pilot project. We’re in a position to easily implement any minor changes to our current system that the final agreement may call for, and to help shape the SLA to ensure it’s something that all registrars can meet in order to provide a reliable and fast RDAP service to users.
ICANN has stated that it is “enforcing the requirements of the Temporary Specification as of 25 May 2018, as it does any other ICANN agreement or policy requirement.” However, aware that the requirements of the Temporary Specification came late, ICANN has provided registrars some leeway. While ICANN has already sent notices of non-compliance to many registrars, they appear to be withholding further action so long as the registrar demonstrates that they are working toward compliance. So we can expect that the various GDPR compliance processes in place now — which vary from registrar to registrar — may look quite different down the road. Virtually every registrar, including Tucows, is changing its implementation in important ways to comply with the Temporary Specification.
We have already implemented the majority of the mandatory requirements. As mentioned above, you can expect two new features in the coming months: Whois Contactability, which provides a means to contact the registrant through public Whois lookup results, and Whois Publicity, which allows registrants to opt into the public display of their contact data.
We believe industry-standard processes are important — they provide a level of consistency very much needed in this highly-connected registrant/registrar/registry network. Many of the Temporary Specification requirements will help move the industry forward towards a unified approach.
However, we view other aspects of the Temp. Spec. as problematic. The Temporary Specification aims to provide registries and registrars with a path to comply with both ICANN contractual requirements and the GDPR, but in a way that maintains “the existing Whois system to the greatest extent possible” and requires “robust collection of Registration Data.”
At Tucows, we believe that “maintaining the existing Whois system” and requiring “robust collection” of data violates the basic principles of GDPR. Put another way, we do not believe that the Temporary Specification is fully compliant with the GDPR. We have an ongoing disagreement with ICANN as to what the GDPR requires in three discrete areas, which is the subject of the ongoing ICANN v. EPAG litigation in Bonn, Germany.
Right now, we’re focused on implementing those Temporary Specification requirements that do not conflict with the GDPR (which is, of course, the vast majority). The GNSO has initiated an Expedited Policy Development Process (“EPDP”), which we are watching with great interest, as we work within the registrar community to advocate for the best outcome for registrars, resellers, and registrants. We’re advocating for policy which fully complies with the GDPR, keeps domain registration and management simple, and protects the interests of our resellers. As we’ve said before, in any instance where ICANN policy conflicts with the law, our priority is compliance with the latter.
Identity theft and browser warnings are growing concerns among consumers. And while you may think enabling SSL on your website will allay these fears, failure to select the right TLS/SSL certificate can erode customer trust. To regain trust, site owners need an easy, reliable way to show customers that transactions are secure and that the site operator is who it says it is. But with the variety of TLS/SSL certs available – DV, OV, or EV – figuring out the best certificate for your business can be confusing. There are major differences in how domains are validated, and the following outline provides some key insights as to which certificate to select for your specific needs.
DV certificates prove ownership of the actual domain through a simple email validation process. DV certificates can be issued in minutes, show trust indicators in browsers (like the padlock icon), and enable HTTPS.
However, DV certificates do not vet the legitimacy of an organization and should not be used for e-commerce sites. Accordingly, DV certificates are best for internal sites, test servers, test domains, and for small to medium-sized businesses seeking cost-effective security.
OV certificates provide the same level of protection as DV certificates but go one step further. With an OV certificate, the Certificate Authority (CA) confirms the business is registered and legitimate, checking details such as business name, location, address, and incorporation or registration information, making these certificates more suitable for public-facing websites.
An OV certificate will also enhance a website’s reputation, providing customers greater assurance in conducting e-commerce transactions.
EV SSL certificates provide the highest level of trust, giving customers greater confidence that they are conducting business through trusted websites. EV SSL certificates are the industry standard for e-commerce websites. An EV SSL certificate triggers high-security web browsers to display an organization’s name in a green address bar and show the name of the Certificate Authority that issued it:
EV SSL certificates confirm site identity and validate the organization according to rigorous industry guidelines established by the CA/Browser Forum, including a strict vetting process using techniques that have been proven reliable in protecting the internet’s most valuable online businesses for more than ten years.
EV SSL certificates are a good choice for businesses, as these certificates can enhance credibility by showing suspecting consumers that sites are legitimately what they purport to be and that a business is serious about protecting the data of its customers.
Summed up, for the greatest level of website security, EV SSL certificates are the best choice.