Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Certificate Authorities Band Together to Improve SSL Security

Some the biggest names in the certificate authority world banded together and launched a new organization dedicated to strengthening the CA infrastructure.

Some the biggest names in the certificate authority world banded together and launched a new organization dedicated to strengthening the CA infrastructure.

The new alliance, the Certificate Authority Security Council, will focus on a series of education and industry initiatives to increase security and trust in CAs. Some of the member organizations include Comodo, DigiCert, Entrust, Symantec, Trend Micro, and GoDaddy, among others. CASC’s first initiative will focus on pushing adoption of Online Certificate Status Protocol (OCSP) stapling for Web server administrators, software vendors, browser makers and end users, Jeremy Rowley, associate general counsel for DigiCert, told SecurityWeek.

Certificate Authority Security CouncilOCSP stapling improves the process in which CAs revoke certificates and communicate that information to other systems. OCSP is used to communicate information about the SSL certificate’s validity. Another common system is using the certificate revocation list (CRL), in which the server checks a list of revoked certificates to find out if a particular one is listed. CRL can get large and rather unwieldy, which is why OCSP was designed as an alternative.

OCSP stapling reduces bandwidth burden while boosting performance, Bruce Morton, director of certificate services for Entrust, told SecurityWeek.

OCSP stapling is a method of revoking invalid or expired certificates, and improving the process for servers to check the certificate’s validity, Rowley said. With stapling, Web administrators cache the OCSP responses so the Web browser doesn’t need to go back to the CA each time it wants to check the certificates, which reduces the bandwidth load and boosting performance because.

Attackers are also no longer able to successfully block the CA’s ability to revoke a certificate, Rowley said.

The group plans to reach out to Web server administrators in a series of talks and appearances at industry events to educate them about OCSP stapling and promote best practices, Rowley said.

CASC will also work on various research, security advocacy, and education initiatives for SSL-related topics. The alliance is not going to be defining standards, but plans to support existing standards bodies such as the CA/Browser Forum and help develop enhancements to SSL. The goal is to educate stakeholders—including Web browser makers, Web administrators, software vendors, and end users— about SSL.

While CAs can do a lot to improve SSL security, the stakeholders all have to contribute by getting educated, the founders said.

While the first initiative is focused on OCSP stapling, the group has plans to address other projects, such as driving adoption of the DNSSEC standard and properly configuring SSL certificates on Web servers, Rowley said.

The list of member organizations may not inspire trust for many, considering that several of them have been hit by CA-related breaches and compromises over the past year or so. The infrastructure supports SSL for encrypting communications online, and the recent incidents have caused many to question the integrity of the system as a whole. The CASC is meant to give the CAs a unified voice and to work together on common campaigns.

A group of CAs was better than a single CA when it came to discussing security initiatives, Rowley said.

“As a unified group of the world’s leading SSL providers, we’re collaborating on matters of highest priority, while also recognizing the value of previous and recent work to continually evolve the standards, and create an industry that understands the issues involved and is committed to making the necessary enhancements,” Dean Coclin, a member of the CASC Steering Committee, Certificate Authority Security Council, said in a statement.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...