Why your choice of a Certificate Authority matters in the long run
By now you’re probably aware of the Turkish Certificate Authority that had mistakenly issued two intermediate CA certificates to two organizations in Turkey. With these trusted intermediate certificates, the two organizations, a Turkish bank and a Turkish government transportation agency, had the ability to issue fraudulent or unauthorized certificates for domains that they do not control. In this instance, a rogue, wildcard certificate was issued for google.com without permission from Google.
According to the certificate authority, TURKTRUST, this incident occurred during a software migration in August 2011. In a statement released by the CA, the certificate profiles of the intermediate certificates in question were moved to a production server. This led to intermediate CA certificates being issued without the CA realizing what had happened. Google identified the rogue certificate on their domain on December 24th. Since then the bad intermediate certificates have been blacklisted by Google and Microsoft. Mozilla plans to blacklist on January 8th. Additionally, the Chrome browser will no longer display Extended Validation status for any SSL certificate issued by TURKTRUST.
What caused this CA’s incident?
The news and social media coverage following TURKTRUST’s mistake point to the same concerns about the CA model as reported with the Comodo breach and DigiNotar’s downfall in 2011. As security critics continue the growing debate about how we as an industry need to reexamine the CA model as a whole, one important question never comes up: What caused this mishandling of certificates issued by the CA in question?
If I ballpark it, I’d estimate that it costs roughly $1 million to get a small CA up and running and that’s not an insignificant amount of money. People who manage Certificate Authorities mean well. But SSL is a very competitive market, and there’s an incredible amount of pressure to issue certificates quickly at constantly, lower prices.
In order to compete, smaller CA’s may cut corners where they can to maintain operations and turn a profit. However, these cuts may include the necessary investments in hardware and software upgrades, monitoring of proper operations, security infrastructure investments, and thorough authentication practices.
In the case of TURKTRUST, systems were not in place to prevent what happened. Furthermore, TURKTRUST has not provided any evidence to the CA/B Forum that they are in compliance with the CABF Baseline Requirements that went in effect July 2012. They are not alone for other CA’s are also remiss in meeting these requirements.
In fact, Symantec is the only CA to publicly announce our compliance with the CABF Baseline Requirements. We invest heavily in our infrastructure and in our authentication best practices to ensure we deliver the highest level of protection of information, people and the trust ecosystem.
In a nutshell, the number of CAs has grown substantially over the past decade, from a handful to now hundreds of global CAs. This resulted in many CAs offering services lacking stringent controls and not following the CA industry guidelines, especially the CABF Baseline Requirements. Each CA is responsible for upholding the security of the Internet and one weak link endangers the entire SSL foundation.
When it comes to security, business continuity, and overall peace of mind, remember not all CAs are created equal.