Certificate authorities band together to boost security

At a time when certificate authorities are under attack by cybercriminals, a group of companies has formed an alliance to try to improve the security of the CA infrastructure.

Members of the Certificate Authority Security Council, announced Thursday, include Comodo, Trend Micro, Symantec, GMO GlobalSign, Entrust, DigiCert and Go Daddy. Some of the companies have recently suffered compromises of their CA systems.

Until now, the CAs has participated in other industry groups, such as the Certification Authority/Browser Forum. The council will be the first group in which the companies can speak with a "unified CA voice," councilmember Robin Alden, chief technology officer of Comodo, said in a blog post.

The group is not a standards-setting organization. Instead, it plans to supplement such groups by providing education, research and advocacy on best practices and the use of Secure Sockets Layer (SSL), a protocol for encrypting information over the Internet. The certificate authority infrastructure supports SSL.

While working together on the CA/Browser Forum for the last eight years, the councilmembers decided that more was needed than just setting standards, said Jeremy Rowley, associate general council for DigiCert. Many companies do not use best practices in the use of CAs, so an education/advocacy group is needed to help prevent risky behavior.

Rowley said high-profiled hacks of certificate authorities over the last few years were not the driving force behind the council.

"There was this big need in the industry for a unified voice on good SSL practices," Rowley said. "That need is more of what prompted us to form it (the council) than any certain event."

Examples Rowley gave of insecure practices still used my developers implementing SSL include use of the 1999 version of the protocol, even though two updates have been released since. In addition, developers have been slow to use Online Certificate Status Protocol stapling, which the council plans to promote as its first task as a group.

[Also see: Bit9 says network hacked, blames itself]Ã'Â

OCSP is a 6-year-old protocol used to obtain the validity of a digital certificate. OCSP stapling is an alternative approach that uses less bandwidth in checking the revocation status of a certificate.

The council is pushing the use of OCSP stapling because it eliminates communication between the Web browser and the certificate authority when establishing the SSL connection. As a result, it boosts browser performance and prevents an attacker from blocking CA's ability to provide revocation information, Alden said.

Gartner analyst Lawrence Pingree said education on the proper use of certificates is needed in the industry.

"The lack of education on how to properly issue and manage certificates can be a significant reason certificates can be compromised," Pingree said in an email. "If the organization is successful in promoting that education, it's a good thing for security."

Nevertheless, Pingree said he remained skeptical of the group's motives. " Is this just a marketing response to the recent certificate breaches, or will this lead to more meaningful security between the CAs?"

Answers to those questions would become clearer over time.

Among the high-profile CA hacks over the last couple of years involved Comodo. In 2011, a hacker who called himself "Ich Sun" broke into Comodo's Italian registration authority and used the company's systems to fraudulently issue nine digital certificates.

CAs like Comodo issue trusted certificates used by SSL encryption. Browsers use the certificates when connecting to secure Web pages. They are also used to secure Internet mail and virtual private networks.

Another high-profile hack included Dutch certificate provider DigiNotar. The 2011 break-in led the Dutch government to ban all DigiNotar certificates from its systems. The company eventually went out of business.Ã'Â

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.

Tags ComodoIdentity & Access | Access ControlNetworkingSSLOCSPaccess controlIdentity & Accessmanagementsymantectrend microsecurityAccess control and authenticationSSL Certificates

More about ComodoEntrustGartnerGlobalSignSymantecTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts