A group of large certificate authorities, including some that have been the victims of recent compromises of their CA systems, have formed an alliance designed to develop strategies for strengthening the CA infrastructure through education and industry initiatives. Comodo, DigiCert, Entrust, Symantec and Go Daddy and other companies announced the alliance on Thursday.
The new alliance, called the Certificate Authority Security Council, plans to focus on a series of topics, the first of which is OCSP stapling. Online Certificate Status Protocol (OCSP) is used to communicate information about a certificate’s validity and revocation status. Stapling removes some of the bandwidth burden and other requirements for checking the status of a certificate.
“OCSP stapling is a significant improvement on traditional CRLs and OCSP revocation mechanisms because it eliminates the communication between the browser and CA when establishing the SSL connection. This leads to an increase in browsing performance and eliminates an attacker’s ability to successfully block a CA’s ability to provide revocation information. Stapled OCSP responses are cached by the web administrator and sent back to the relying party during the communication, effectively reducing bandwidth requirements and speeding up the SSL connection,” Jeremy Rowley, associate general counsel at DigiCert, and one of the members of the CASC, wrote in a blog post.
The establishment of the new alliance comes at a time when CAs are under fire from attackers looking to compromise their infrastructure and use it for their own purposes, and from critics, as well, who say that the CA system is outdated and needs a complete overhaul. CAs have been besieged by attacks in the last couple of years, including high-profile incidents such as the attack on Comodo in 2011 that involved an attacker issuing fraudulent certificates for Google, Mozilla and a number of other important sites. The DigiNotar attack in 2012 was similar and ended up with the Dutch CA going out of business.
The CA infrastructure supports SSL, the widely deployed standard for encrypted communications. SSL itself has been the target of a number of recent breakthroughs in security research, including a paper published recently on an attack on TLS called Lucky Thirteen that enables an attacker to use a variety of a padding oracle attack to decrypt an entire TLS record. The attack follows up on work done by other researchers on SSL attacks known as BEAST and CRIME.
The CASC is meant to serve as a unified front for all of the CAs involved.
“While not a standards-setting organization, we’re committed to supplementing standards-setting organizations by providing education, research, and advocacy on the best practices and use of SSL. This means that we will also actively promote new and proposed standards and practical enhancements to the SSL ecosystem that we think will help protect everyone,” said Robin Alden, CTO of Comodo.
“While CAs can do more to improve SSL security, we can’t do it alone. Browsers, software vendors, web server administrators, even end users can contribute by getting educated about the key factors and working together to value security.”
CA image via the CASC.