It’s an interesting time for certificate authorities. On the one hand, interest has never been higher in Web encryption, privacy and transport security, thanks to Edward Snowden. But on the other hand, the last few years has seen a steady stream of compromises of CAs, mis-issued certificates and other problems.
CAs hold the security and trust of the Web in their hands, and issues like an intermediate CA associated with Chinese certificate authority CNNIC mis-issuing certificates for Google domains haven’t helped reinforce that trust. To help address the problems, CA DigiCert is introducing a new platform that enables continuous monitoring of all of an organization’s certificates to protect against fraudulent certificate issuance, theft and other abuses of the system. The platform is based on DigiCert’s participation in Google’s certificate transparency scheme, which creates public logs of issued certificates.
Certificate Transparency relies on CAs submitting the certificates that they issue to public logs so that anyone can inspect the logs and look for problems or conflicts. Google, which is behind the CT plan, operates the initial public log servers, and DigiCert operates the first non-Google log.
Jason Sabin, CSO of DigiCert, said in an interview that the system is designed to give customers more control of and supervision over the certificates they have in use.
“In some large organizations, you can get people who need to get something done for a certain project so they go and grab a domain and don’t have time to go through whatever process they have in place for getting a certificate,” Sabin said. “So they do it themselves, but then the organization doesn’t know it’s happened, or perhaps it wasn’t done correctly.”
The CertCentral platform that DigiCert is rolling out allows for continuous monitoring of an organization’s certificates, and it also can protect companies against phishing and other attacks that play off of variants of their legitimate domains.
“We can look for people using certificates that are close variants of your domains, like using zeroes for the letter O or things like that,” Sabin said.
The new platform also enables a faster installation and configuration process for new certificates, Sabin said.