PKI (public key infrastructure) technology is used worldwide to enable the secure authentication and exchange of digital information. As a legal professional, earning and keeping your clients’ trust is paramount, and using PKI-related products such as SSL/TLS and document signing certificates is a great way to do just that.
Obtaining an SSL/TLS certificate for your website is key to retain the trust of your clients. Document signing and S/MIME certificates can help guarantee the integrity and authenticity of your email and signed documents.
How Can SSL/TLS Help Lawyers?
SSL (Secure Sockets Layer) and its successor, TLS (Transport Layer Security), are protocols for establishing authenticated and encrypted links between networked computers. The most current version is TLS 1.3, but it is still common to refer to these related technologies as “SSL” or “SSL/TLS.”
SSL/TLS works by binding the identities of entities such as websites and companies to cryptographic key pairs via digital documents known as X.509 certificates. Each key pair consists of a private key and a public key. The private key is kept secure, and the public key can be widely distributed via a certificate. Because of the special mathematical relationship between the public and private key, messages encrypted using the private key can be decrypted by the public key, and vice versa.
SSL/TLS certificates can be used to secure web domains and enable the HTTPS protocol, which is vital for those looking to build a secure, SEO-optimized web presence. An HTTPS web server can sign data like web pages, images, and javascript with its private key, allowing web browsers to verify the data’s integrity with the public key in the site’s certificate. In turn, a web browser can use the website’s public key to send messages that only the server can read. Via the SSL/TLS handshake, a web server and a user’s browser can negotiate an encrypted browsing session to protect information from potential eavesdroppers and attackers.
In an interview with data loss prevention software company Digital Guardian, Attorney Jared Staver, managing partner at the accident injury law firm Staver Law Group concurs with the practicality and security that PKI-based solutions offer:
“I am not a data expert. I am not a tech expert. I am not a security expert. Given this information, I refuse to keep client data on premises, in our systems, etc.. I practice law. But that in no way makes me suitable to make decisions about my clients’ data. Perhaps the easiest thing law firms can do is to put data in the hands of experts (and understanding that those experts are not attorneys). Offsite servers that are encrypted, protected and have teams of people ensuring their security are any law firm’s best friend. In my opinion, they are underutilized in the industry.”
Why is HTTPS Important to Lawyers?
The HTTPS protocol makes it possible for website users to transmit sensitive data such as credit card numbers, banking information, and login credentials securely over the internet. For this reason, HTTPS is especially important for securing online activities such as shopping, banking, and remote work. However, HTTPS is quickly becoming the standard protocol for all websites, whether or not they exchange sensitive data with users.
As a legal professional, having a secure, HTTPS-enabled domain is just one more way to earn the trust of site visitors and clients. It will give them the confidence to know that sharing or submitting sensitive information using your online services. If your certificate is Organization Validated (OV) or Extended Validated (EV), your clients can check for information about the business that runs the website from the certificate, an added layer of assurance and another way to earn their trust.
Using an SSL/TLS certificate to enable the HTTPS protocol on your domain is also important for SEO (search engine optimization), the practice of optimizing a website to perform well in search engine rankings. This means that an SSL/TLS certificate can potentially help you obtain more clients for your practice.
Furthermore, any website without an SSL/TLS certificate in 2021 will be visibly flagged as “insecure” by modern browsers.
What is a Document Signing Certificate?
A document signing certificate is another type of X.509 certificate. A publicly trusted certificate authority (CA),such as SSL.com, checks information submitted about an applicant and, if valid, issues a signed certificate. The certificate can then be used to create digital signatures.
Document signing certificates from SSL.com may delivered on FIPS 140.2 YubiKey USB tokens and/or enrolled in our eSigner cloud signing service. In either case, your private signing key is stored on the device or service, is not exportable, and can only be accessed by a PIN or OTP code.
SSL.com’s document signing certificates are trusted by major software publishers including Microsoft and Adobe, so you can be confident that your signed PDFs and Word documents will be trusted by your recipients’ software
S/MIME Email
SSL.com’s document signing certificates also include S/MIME capabilities. S/MIME (Secure/Multipurpose Internet Mail Extensions) uses PKI and asymmetric encryption to provide authentication and encryption of email messages. By signing your email with an S/MIME certificate from SSL.com, you can assure receivers that the messages you send are really from you, and they can prove that you really sent them.
Furthermore, you can use S/MIME to encrypt your email communications securely, shielding them from prying eyes while in transit. When S/MIME email is deployed throughout a business or other organization, employees can be certain that messages from their colleagues are genuine, and clients and customers can trust email sent from within the organization. For a law firm, this can be vital technology to enable safe transit of sensitive documents.
eSigner
SSL.com’s eSigner cloud signing system enables lawyers to place internationally trusted digital signatures and timestamps to sensitive legal documents that they communicate online to their colleagues, counterparts, and clients.
eSigner makes use of the digital signature technology to bind an identity (such as a person or company) to a specific document. Like fingerprints or thumb marks, digital signatures can be uniquely attributed to each signer through the use of lengthy numbers (keys) that are generated by a mathematical algorithm. The keys are then stored safely in eSigner’s cloud storage system.
In essence, eSigner’s use of digital signatures is considered as a more modern and secure way to sign confidential documents compared to the pen and paper method. Handwritten signatures can be copied by impersonators but encrypted digital signatures are very, very difficult to hack.
eSigner’s implementation of digital signatures achieve the 3 criteria that the government wants to be featured in electronic communication:
Authentication: Achieving authenticity serves a practical purpose when a law firm’s offices are communicating with one another. For instance, a branch office might receive a legal memo from the main office directing it to send soft copies of highly-confidential documents. If the supposed main office sent the message with a valid digital signature, staff at the receiving branch office can be confident that they are not being duped by a cybercriminal.
Integrity: This means that the content of the document has not been changed since it was sent and while in transit. Achieving integrity allows a multi-state or a multinational law firm to act efficiently despite its various offices located far from each other. Because there is no need to conduct further verification like organizing calls or personally going to a specific office, business implementations can be done by the beat.
Non-repudiation: This criterion refers to the instance in which a person or organization that has digitally signed a document cannot, in the future, deny that they have done so. This feature that digital signatures provide is very useful when lawyers are interacting with their clients or other law firms (either allies or opponents in a case). In any client-service provider relationship or B2B transaction, things can become sour and fall out of hand. Using digital signatures when communicating avoids “he said, she said” situations in the future and actually helps resolve conflicts faster because digitally signed documents are considered as evidence.
Last Word
PKI technology, document signing certificates, S/MIME, and SSL/TLS certificates are a great choice to offer more trust for your clients. Making the extra investment can help safeguard information, provide authenticity, and promote trust between you and your clients.