Video Screencast Help
Website Security Solutions

New York Times emphasizes risks of irreputable CAs

Created: 17 Aug 2010 • Updated: 18 Dec 2012
Tim Callan's picture
0 0 Votes
Login to vote

A recent New York Times article discusses the concerns held by online civil rights groups that oppressive governments around the world might work with certificate authorities (CAs) through either coercion or willing partnership to compromise the integrity of private and/or corporate online communications.

The article points out that proliferation of CAs around the world means that the world's browser and device vendors have given the tremendous responsibility of issuing certificates to a very broad variety of organizations. Given that the conduct of these CAs is not policed to any effective degree, unscrupulous CAs could easily allow governments to decrypt communications, use compromised information for a variety of political purposes and not face any retribution.

Such concerns highlight the need for individuals and organizations to look to longstanding responsible CAs with a proven track record of issuing and managing certificates correctly. This means looking for trust marks such as the signature VeriSign "check" to verify the identity of the CAs validating and securing their most important online transactions and communications.

While we usually talk about "trust" in terms of the ability to trust your search link results, the sites you visit and the transactions you make, this current discussion highlights that a historic track record of corporate integrity and responsible SSL stewardship truly matters as much as advanced technology capabilities such as seal-in-search, web site malware scanning and EV SSL.

Once again, another debate reminds us that "who you trust" matters more than ever.

Although the article describes it in very high level terms, Mozilla's Jonathan Nightingale clearly has recommended EV SSL as one avenue of combatting this problem,

Mr. Nightingale said that many e-commerce sites were using a new type of certificate that required extensive verification. If a certificate authority was misusing its power to eavesdrop, he said, a user with technical skills could detect the attack, and the organization's power to issue certificates would be revoked.