CAs Form New Alliance to Focus on Security Issues, Education

A group of large certificate authorities, including some that have been the victims of recent compromises of their CA systems, have formed an alliance designed to develop strategies for strengthening the CA infrastructure through education and industry initiatives. Comodo, DigiCert, Entrust, Symantec and Go Daddy and other companies announced the alliance on Thursday.

CASA group of large certificate authorities, including some that have been the victims of recent compromises of their CA systems, have formed an alliance designed to develop strategies for strengthening the CA infrastructure through education and industry initiatives. Comodo, DigiCert, Entrust, Symantec and Go Daddy and other companies announced the alliance on Thursday.

The new alliance, called the Certificate Authority Security Council, plans to focus on a series of topics, the first of which is OCSP stapling. Online Certificate Status Protocol (OCSP) is used to communicate information about a certificate’s validity and revocation status. Stapling removes some of the bandwidth burden and other requirements for checking the status of a certificate.

“OCSP stapling is a significant improvement on traditional CRLs and OCSP revocation mechanisms because it eliminates the communication between the browser and CA when establishing the SSL connection. This leads to an increase in browsing performance and eliminates an attacker’s ability to successfully block a CA’s ability to provide revocation information. Stapled OCSP responses are cached by the web administrator and sent back to the relying party during the communication, effectively reducing bandwidth requirements and speeding up the SSL connection,” Jeremy Rowley, associate general counsel at DigiCert, and one of the members of the CASC, wrote in a blog post.

The establishment of the new alliance comes at a time when CAs are under fire from attackers looking to compromise their infrastructure and use it for their own purposes, and from critics, as well, who say that the CA system is outdated and needs a complete overhaul. CAs have been besieged by attacks in the last couple of years, including high-profile incidents such as the attack on Comodo in 2011 that involved an attacker issuing fraudulent certificates for Google, Mozilla and a number of other important sites. The DigiNotar attack in 2012 was similar and ended up with the Dutch CA going out of business.

The CA infrastructure supports SSL, the widely deployed standard for encrypted communications. SSL itself has been the target of a number of recent breakthroughs in security research, including a paper published recently on an attack on TLS called Lucky Thirteen that enables an attacker to use a variety of a padding oracle attack to decrypt an entire TLS record. The attack follows up on work done by other researchers on SSL attacks known as BEAST and CRIME.

The CASC is meant to serve as a unified front for all of the CAs involved.

While not a standards-setting organization, we’re committed to supplementing standards-setting organizations by providing education, research, and advocacy on the best practices and use of SSL. This means that we will also actively promote new and proposed standards and practical enhancements to the SSL ecosystem that we think will help protect everyone,” said Robin Alden, CTO of Comodo.

“While CAs can do more to improve SSL security, we can’t do it alone. Browsers, software vendors, web server administrators, even end users can contribute by getting educated about the key factors and working together to value security.”

CA image via the CASC.

Suggested articles

Discussion

  • sleewsweela on

    Hello! I just would like to give a huge thumbs up for the wonderful information you've got here on this post. I is going to be coming back to your weblog for more soon.
  • stufftobsom on

    I discovered your blog web page on google and check some of your early posts. Continue to maintain up the incredibly superior operate. I just further up your RSS feed to my MSN News Reader. Looking for forward to reading a lot more from you later on!
  • apapsesetle on

    I discovered your weblog internet site on google and check a few of your early posts. Continue to maintain up the very excellent operate. I just extra up your RSS feed to my MSN News Reader. Searching for forward to reading much more from you later on!
  • ZoorkIdoksCed on

    Hello. Do anyone know what is all about this cookie acceptation thing? Is it safe? Thanks for answer

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.