Myths: SSL Is Broken; CAs Aren’t Valuable

By Rick Andrews

There is a lot of muttering going on at conferences and in online articles by both experts and interested amateurs about whether the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) ecosystem is broken. A vocal minority are even wondering if we should stop using certification authorities (CAs) altogether.

These questions are outgrowths of the misconceptions about TLS/SSL and CAs that continue to flourish in the industry.

Some claim that all SSL certificates are the same. Others say CAs don’t provide value and are not well-regulated—just look at the public failures! Another myth is that SSL itself is outdated and buggy.

Let’s set the record straight.

Is SSL Broken?

Some people say that SSL is broken and beyond repair. They argue that there is a need to find a replacement system for authenticating identities online. However, the SSL protocol has proven to be remarkably robust, and SSL certificates remain the world’s most reliable and scalable cryptographic system. The high-profile security failures involving SSL were due to the lack of proper internal security controls at the end-entity level, rather than a system-wide failure.

Most CAs are focused on tightening global standards to mitigate such incidents in the future. While no security solution is fully foolproof because of evolving threats, the best option for the future is one that focuses on making practical, scalable enhancements to the current system instead of trying to replace it with systems that are untried and untested in scale.

So is SSL an outdated system with too many vulnerabilities to work long-term? As a key component of Internet security for nearly 20 years, certificates from publicly trusted CAs remain the most proven, reliable and scalable method to protect Internet transactions. CAs continue to work in collaboration with the industry and security ecosystem players to enhance the SSL protocol and enable additional functionality that will continue to protect all users and meet evolving threats.

But not all types of certificates are the same. CAs issue a variety of certificates to handle different purposes. This includes code-signing certificates that protect applications from tampering and malware, SSL certificates that secure Website transactions, client-authenticated certificates used in enterprise public-key infrastructure (PKI) settings, and Secure Multipurpose Internet Mail Extension (S/MIME) certificates that authenticate email exchanges. CAs also offer TLS/SSL certificates with varying levels of validation.

Depending on the certificate, a CA may verify: the registration or control of the domain to the entity requesting a certificate; that the organization is a registered legal entity and the person requesting the certificate is authorized to act on its behalf; that the organization has a verified identity and phone number, legitimate business address and verified requester; and that both extended-validation (EV) and (OV) certificates include identifying information about the certificate holder in the organizational field of the certificate.

Some industry people believe that hundreds of intermediate CA certificates are issued by hundreds of different CAs, making SSL a commodity business with too many certificates to handle. Although hundreds of intermediate certificates may exist worldwide, Mozilla’s root store lists approximately 65 proprietary holders of trusted root certificates. In addition, nearly 90 percent of all Internet SSL certificates issued originate from the root certificates of the world’s five largest providers.

Each CA is subject to standards passed by the Certification Authority/Browser Forum (CA/B Forum) and is audited by an accredited third-party accounting firm. The CA/B Forum, initiated in 2005, is a standards body that strives to implement standards across all CAs, as well as browsers such as Chrome and Firefox.

Even so, we still hear protests that certificate revocation is either unnecessary or broken, and that its benefits do not outweigh the potential browser-performance issues. In truth, certificate revocation plays a key role in the SSL ecosystem as a leading authentication tool in determining whether a certificate should be trusted.

Billions of certificate status requests are sent each day to revocation response servers located worldwide. These servers inform the browser about whether or not a certificate should be valid, and they protect users by ensuring that browsers navigate to trusted pages. Many CAs are working with browsers and other parties to further improve existing methods and develop new revocation systems that effectively balance performance and security and provide a faster trusted experience for all Internet users.