Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Certificate Authorities Band Together to Improve SSL Security

Some the biggest names in the certificate authority world banded together and launched a new organization dedicated to strengthening the CA infrastructure.

Some the biggest names in the certificate authority world banded together and launched a new organization dedicated to strengthening the CA infrastructure.

The new alliance, the Certificate Authority Security Council, will focus on a series of education and industry initiatives to increase security and trust in CAs. Some of the member organizations include Comodo, DigiCert, Entrust, Symantec, Trend Micro, and GoDaddy, among others. CASC’s first initiative will focus on pushing adoption of Online Certificate Status Protocol (OCSP) stapling for Web server administrators, software vendors, browser makers and end users, Jeremy Rowley, associate general counsel for DigiCert, told SecurityWeek.

Certificate Authority Security CouncilOCSP stapling improves the process in which CAs revoke certificates and communicate that information to other systems. OCSP is used to communicate information about the SSL certificate’s validity. Another common system is using the certificate revocation list (CRL), in which the server checks a list of revoked certificates to find out if a particular one is listed. CRL can get large and rather unwieldy, which is why OCSP was designed as an alternative.

OCSP stapling reduces bandwidth burden while boosting performance, Bruce Morton, director of certificate services for Entrust, told SecurityWeek.

OCSP stapling is a method of revoking invalid or expired certificates, and improving the process for servers to check the certificate’s validity, Rowley said. With stapling, Web administrators cache the OCSP responses so the Web browser doesn’t need to go back to the CA each time it wants to check the certificates, which reduces the bandwidth load and boosting performance because.

Attackers are also no longer able to successfully block the CA’s ability to revoke a certificate, Rowley said.

The group plans to reach out to Web server administrators in a series of talks and appearances at industry events to educate them about OCSP stapling and promote best practices, Rowley said.

CASC will also work on various research, security advocacy, and education initiatives for SSL-related topics. The alliance is not going to be defining standards, but plans to support existing standards bodies such as the CA/Browser Forum and help develop enhancements to SSL. The goal is to educate stakeholders—including Web browser makers, Web administrators, software vendors, and end users— about SSL.

While CAs can do a lot to improve SSL security, the stakeholders all have to contribute by getting educated, the founders said.

While the first initiative is focused on OCSP stapling, the group has plans to address other projects, such as driving adoption of the DNSSEC standard and properly configuring SSL certificates on Web servers, Rowley said.

The list of member organizations may not inspire trust for many, considering that several of them have been hit by CA-related breaches and compromises over the past year or so. The infrastructure supports SSL for encrypting communications online, and the recent incidents have caused many to question the integrity of the system as a whole. The CASC is meant to give the CAs a unified voice and to work together on common campaigns.

A group of CAs was better than a single CA when it came to discussing security initiatives, Rowley said.

“As a unified group of the world’s leading SSL providers, we’re collaborating on matters of highest priority, while also recognizing the value of previous and recent work to continually evolve the standards, and create an industry that understands the issues involved and is committed to making the necessary enhancements,” Dean Coclin, a member of the CASC Steering Committee, Certificate Authority Security Council, said in a statement.

Written By

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).