Myths: SSL Is Broken; CAs Aren't ValuablePosted 2013-09-10 Email Print
Some claim that all SSL certificates are the same or that CAs don’t provide value. Another myth is that SSL is outdated and buggy. Let’s set the record straight.
Why Use CAs?
Do CAs provide enough value? For the past 20 years, CAs have been the guardians of online trust by putting their own reputations on the line. CAs invest a lot of effort in securing their internal operations and data centers, training their staff on best practices for certificate validation and issuance, and enforcing industry controls using periodic vulnerability and penetration testing along with annual third-party audits. Most CAs belong to the CA/B Forum, hold each other accountable and work to ensure that the incidents faced by a few CAs in 2011 are not repeated.
One misconception is that CAs are not regulated, when in reality CAs are subject to rigorous audits. Third-party qualified firms conduct the audits, and strict criteria are set forth by leading browsers before they are accepted into the browser root stores.
Solid and publicly available baseline requirements and guidelines establish global standards for certificate issuance and CA controls that will soon be included in those third-party auditing standards. Noncompliant CAs can be excluded from the root store by the browser companies.
Another complaint from people who are proposing alternative models of assurance is that CAs are limited, unresponsive and unwilling to accept new changes needed in the TLS/SSL protocol. In truth, it is nearly the opposite.
A large number of CAs participate in industry standards-making bodies, educational groups and research organizations that regularly assist in creating proposals and adopting standards. CAs actively work with browsers, relying parties and other stakeholders to enhance Internet security through practical, thoughtful measures and collaborative research. Much of this dialogue takes place in a public setting, such as CA/B Forum discussions.
Do CAs have any incentive to innovate and make needed changes? Absolutely! Because the CAs’ reputations are essential to their survival, they feel a sense of urgency to enact needed changes and are working together to enhance the SSL system. Every time news spreads that a CA has failed, the reputation of all CAs—and the system itself—suffers.
Therefore, most CAs work very hard to evolve the industry and maintain an aggressive and effective security posture toward their own systems and those of their clients. Mandatory standards recently adopted include baseline requirements, network security guidelines, and EV code signing and enhancements to EV SSL standards, while others are currently being debated.
The TLS/SSL ecosystem has matured over the past 20 years and has become the cornerstone of trust on the Internet. Because of the huge investments CAs have made for their own future and the state of SSL, it is safe to say that TLS certificates from CAs will remain an ever-improving fixture for years to come.
Although the concepts underlying digital certificates haven’t changed much, new ways to manage certificates, higher encryption levels and extended validation certificates are being developed. And while detractors can point to a small number of isolated incidents that have eroded trust in CAs, we think it’s fair to say that the development of better standards—along with the support and collective accountability of the CA/B Forum—will enable CAs to remain the guardians of trust for years to come.
Rick Andrews is on the steering committee of the Certificate Authority Security Council (CASC), an advocacy group of global certificate authorities committed to best practices that advance trusted SSL deployment and CA operations, as well as the security of the Internet in general.