Certificate Authorities Form Group to Educate on SSL Best Practices
- 15 February, 2013 17:45
But in the past several years, CAs like RSA, DigiNotar and Comodo have been the victims of breaches that potentially allowed hackers to create their own fraudulent certificates. Last week, a banking Trojan was found in the wild with a valid digital certificate purchased from a CA using a fraudulent identity.
The problem is not an academic one. Last week, security firm Bit9 disclosed that hackers had penetrated its network, gained access to several of its digital certificates and used them to masquerade as Bit9 to install malware on the systems of three of Bit9's customers.
Responding to these increasing threats-sophisticated hacker networks, global cybercriminal organizations and state-sponsored espionage-seven global CAs came together on Thursday to form the Certificate Authority Security Council (CASC), an advocacy group aimed promoting best practices to advance the security of websites and online transactions. The CAs include Comodo, DigiCert, Entrust, GlobalSign, Go Daddy, Symantec and Trend Micro. Together they represent 95 percent of all certificates issued, says Kirk Hall, operations director for Trust Services at Trend Micro.
"There have been increased threats against CAs in the past several years," says Hall. "There was room for us to do more working together as CAs."
"There's a surprising amount of things that we can do with users and others involved in deploying certificates that can make the system much stronger," he adds.
CASC Will Start by Promoting OCSP Stapling
CASC's first initiative will be a series of educational and advocacy efforts related to best practices in SSL deployment, particularly online certificate status checking and revocation.
"If we look at the SSL ecosystem as it exists today, there's a few things that could be better," says Ryan Hurst, CTO of GlobalSign. "SSL isn't deployed as widely as everyone would like. And even people that deploy SSL only deploy it on a portion of their sites because they're concerned about performance."
For that reason, the first initiative will highlight the benefits of Online Certificate Status Protocol (OCSP) stapling to web server administrators, software vendors, browser developers and end users. OCSP stapling is an alternative approach to OCSP, which is used to check the revocation status of X.509 certificates. OCSP is often seen as the culprit behind the performance hits that Hurst says prevents people from deploying SSL more broadly.
"OCSP stapling actually goes a long way toward reducing the performance tax associated with performing that check and thus speeds up SSL," Hurst says.
Hurst notes that advocating best practices around code signing is likely to be a future initiative of CASC.
"This is just the first of many projects that we as a group will work on together," Hurst says.
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Thor at firstname.lastname@example.org
Read more about network security in CIO's Network Security Drilldown.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.
Why change management doesn’t work
Larry Page wants to see your medical records
Dual-Persona Smartphones Not a BYOD Panacea
After two-year hiatus, EFF accepts bitcoin donations again
CIOs struggle to deliver timely mobile business apps: survey
Leading Through Connections – Insights from the Global Chief Executive Officer Study
IBM’s 2012 Global CEO study follows face-to-face discussions with more than 1,700 CEOs and senior public sector leaders from around the globe. The findings examine how CEOs are responding to the complexity of increasingly interconnected organisations, markets, societies and governments. For example, almost one-quarter of CEOs say their organisations operate below par in terms of driving value from data. CEOs have expressed frustration about their inability to capitalise on available information. This is because: “The time available to capture, interpret and act on information is getting shorter and shorter.” CEO, Chemicals and Petroleum, United States Given the need for deeper business insight, the best performing organisations are more adept at converting complex data into insights, and insights into action. Download Entire Report Now.
In Control at Layer 2: A Tectonic Shift in Network Security
Network hacking and corporate espionage are on the rise and set to intensify. Information security risks remain commonplace, and most organisations need to increase vigilance. This paper has analyses the realistic threats to fibre optic Ethernet networks – both at the LAN and WAN level. Read now.
How the Cloud Changes the Game for Line of Business Managers in Midsize Companies
It can be argued that what distinguishes midsize businesses most from large and small companies is not size, but attitude. While attitude alone cannot mitigate the challenges faced by midsize businesses, technology can help. And no technology offers more promise than the cloud. This paper, explores midsize business challenges from the perspective, not of the IT department, but of the line of business managers they support. Read on.