Recently, Ericka Chickowski with Dark Reading wrote a well thought out and researched piece discussing the future of web authentication. Our own Quentin Liu was interviewed for the article. In her article, Ericka starts with a brief history of SSL and then goes into the current problems facing the CA community, followed by recommended best practices. Ericka concludes that SSL has too long a history to completely scrap (amen!) and the industry must make changes in how SSL functions to improve security of web transactions. We couldn’t agree more!
Key article points and commentary:
- “Web authentication protocols took a pounding last year.”
It’s true, there’s no denying that 2011 was riddled with high-profile attacks and targeting of CAs. These attacks highlight that is has never been more important for organizations to know which CAs to trust.
- “Taken as a whole, it appears the Internet's trust model is broken. However, many security experts aren't ready to scrap SSL. Rather than starting over, they recommend fixing the existing system.”
The CA breaches in 2011 sparked a debate as to whether SSL certificate technology and the entire CA industry that distributes it are fundamentally broken. Fortunately, the answer is categorically and unequivocally “no.” SSL technology still provides excellent protection against evolving cyber security threats. With the right tools and processes, CAs are fully capable of providing the greatest assurance possible that their certificates – and the websites that use the certificates – are genuine and safe for online business.
Last yearwe witnessed a variety of bad actors targeting CAs ranging from recreational hackers to serious cyber terrorists, and we see no indication that these threats will slow down or go away. In other words, it’s critical that a CA’s top business priorities in 2012 be 1) diligent investment in and upkeep of a secure application and network infrastructure, 2) rigorous and consistent authentication processes, 3) comprehensive auditing and reporting, and 4) responsible breach notification and response practices.
- “The weak links in the SSL scheme are that there's no overarching system or authority to rate, rank, or approve CAs, and there are no standards for how certificates are issued. It's up to the browser vendor to decide whether to trust a specific CA, and those vendors haven't been careful enough with those decisions.”
Ericka nailed it. While the CA/Browser Forum did in 2007 release guidelines that a CA must meet in order to issue EV SSL certificates and just recently, in December 2011, the Forum also introduced the first-ever international baseline standards for CAs (effective July 1, 2012), the creation and continued education of these standards is just the beginning.
Adding to the complexity is the number of CAs, which has grown exponentially in the past decade, from a handful then to hundreds now. This growth has occurred in a free-for-all environment, with the barrier to entry so low that almost any organization can anoint itself a CA and start issuing SSL certificates. This means IT security varies widely among CAs, even though every CA is responsible for upholding the security of the Internet and one weak link endangers everyone. When it comes to security, all CAs are not created equal.
- “SSL has too long a history to completely scrap it for less-mature technology that's potentially just as prone to vulnerabilities. However, the industry must make changes in how SSL functions to improve the security of Web transactions.”
It is important for the online community to understand that there is nothing inherently broken with SSL, it is really just about CAs and businesses doing the right thing to ensure that customer information remains secure. CAs that follow established best practices for securing private keys; along with vigilant enforcement of stringent authentication practices are critical components in keeping the Internet a safe environment for all.