Security Experts:

Certificate Authorities Band Together to Improve SSL Security

Some the biggest names in the certificate authority world banded together and launched a new organization dedicated to strengthening the CA infrastructure.

The new alliance, the Certificate Authority Security Council, will focus on a series of education and industry initiatives to increase security and trust in CAs. Some of the member organizations include Comodo, DigiCert, Entrust, Symantec, Trend Micro, and GoDaddy, among others. CASC's first initiative will focus on pushing adoption of Online Certificate Status Protocol (OCSP) stapling for Web server administrators, software vendors, browser makers and end users, Jeremy Rowley, associate general counsel for DigiCert, told SecurityWeek.

Certificate Authority Security CouncilOCSP stapling improves the process in which CAs revoke certificates and communicate that information to other systems. OCSP is used to communicate information about the SSL certificate's validity. Another common system is using the certificate revocation list (CRL), in which the server checks a list of revoked certificates to find out if a particular one is listed. CRL can get large and rather unwieldy, which is why OCSP was designed as an alternative.

OCSP stapling reduces bandwidth burden while boosting performance, Bruce Morton, director of certificate services for Entrust, told SecurityWeek.

OCSP stapling is a method of revoking invalid or expired certificates, and improving the process for servers to check the certificate's validity, Rowley said. With stapling, Web administrators cache the OCSP responses so the Web browser doesn't need to go back to the CA each time it wants to check the certificates, which reduces the bandwidth load and boosting performance because.

Attackers are also no longer able to successfully block the CA's ability to revoke a certificate, Rowley said.

The group plans to reach out to Web server administrators in a series of talks and appearances at industry events to educate them about OCSP stapling and promote best practices, Rowley said.

CASC will also work on various research, security advocacy, and education initiatives for SSL-related topics. The alliance is not going to be defining standards, but plans to support existing standards bodies such as the CA/Browser Forum and help develop enhancements to SSL. The goal is to educate stakeholders—including Web browser makers, Web administrators, software vendors, and end users— about SSL.

While CAs can do a lot to improve SSL security, the stakeholders all have to contribute by getting educated, the founders said.

While the first initiative is focused on OCSP stapling, the group has plans to address other projects, such as driving adoption of the DNSSEC standard and properly configuring SSL certificates on Web servers, Rowley said.

The list of member organizations may not inspire trust for many, considering that several of them have been hit by CA-related breaches and compromises over the past year or so. The infrastructure supports SSL for encrypting communications online, and the recent incidents have caused many to question the integrity of the system as a whole. The CASC is meant to give the CAs a unified voice and to work together on common campaigns.

A group of CAs was better than a single CA when it came to discussing security initiatives, Rowley said.

"As a unified group of the world’s leading SSL providers, we’re collaborating on matters of highest priority, while also recognizing the value of previous and recent work to continually evolve the standards, and create an industry that understands the issues involved and is committed to making the necessary enhancements," Dean Coclin, a member of the CASC Steering Committee, Certificate Authority Security Council, said in a statement.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.