Certificate authorities band together to boost security
Education on the proper use of certificates is needed in the industry, analyst says
By Antone Gonsalves
February 15, 2013 — CSO — At a time when certificate authorities are under attack by cybercriminals, a group of companies has formed an alliance to try to improve the security of the CA infrastructure.
Members of the Certificate Authority Security Council, announced Thursday, include Comodo, Trend Micro, Symantec, GMO GlobalSign, Entrust, DigiCert and Go Daddy. Some of the companies have recently suffered compromises of their CA systems.
Until now, the CAs has participated in other industry groups, such as the Certification Authority/Browser Forum. The council will be the first group in which the companies can speak with a "unified CA voice," councilmember Robin Alden, chief technology officer of Comodo, said in a blog post.
The group is not a standards-setting organization. Instead, it plans to supplement such groups by providing education, research and advocacy on best practices and the use of Secure Sockets Layer (SSL), a protocol for encrypting information over the Internet. The certificate authority infrastructure supports SSL.
While working together on the CA/Browser Forum for the last eight years, the councilmembers decided that more was needed than just setting standards, said Jeremy Rowley, associate general council for DigiCert. Many companies do not use best practices in the use of CAs, so an education/advocacy group is needed to help prevent risky behavior.
Rowley said high-profiled hacks of certificate authorities over the last few years were not the driving force behind the council.
"There was this big need in the industry for a unified voice on good SSL practices," Rowley said. "That need is more of what prompted us to form it (the council) than any certain event."
Examples Rowley gave of insecure practices still used my developers implementing SSL include use of the 1999 version of the protocol, even though two updates have been released since. In addition, developers have been slow to use Online Certificate Status Protocol stapling, which the council plans to promote as its first task as a group.
[Also see: Bit9 says network hacked, blames itself]
OCSP is a 6-year-old protocol used to obtain the validity of a digital certificate. OCSP stapling is an alternative approach that uses less bandwidth in checking the revocation status of a certificate.
The council is pushing the use of OCSP stapling because it eliminates communication between the Web browser and the certificate authority when establishing the SSL connection. As a result, it boosts browser performance and prevents an attacker from blocking CA's ability to provide revocation information, Alden said.
Gartner analyst Lawrence Pingree said education on the proper use of certificates is needed in the industry.
"The lack of education on how to properly issue and manage certificates can be a significant reason certificates can be compromised," Pingree said in an email. "If the organization is successful in promoting that education, it's a good thing for security."
Nevertheless, Pingree said he remained skeptical of the group's motives. " Is this just a marketing response to the recent certificate breaches, or will this lead to more meaningful security between the CAs?"
Answers to those questions would become clearer over time.
Among the high-profile CA hacks over the last couple of years involved Comodo. In 2011, a hacker who called himself "Ich Sun" broke into Comodo's Italian registration authority and used the company's systems to fraudulently issue nine digital certificates.
CAs like Comodo issue trusted certificates used by SSL encryption. Browsers use the certificates when connecting to secure Web pages. They are also used to secure Internet mail and virtual private networks.
Another high-profile hack included Dutch certificate provider DigiNotar. The 2011 break-in led the Dutch government to ban all DigiNotar certificates from its systems. The company eventually went out of business.
Read more about access control in CSOonline's Access Control section.