If you were going to try and determine who has had a worse go of it recently, the NSA or certificate authorities, you’d likely have to just flip a coin. And the coin would probably end up balanced on its edge. While the National Security Agency is scrambling to respond to and recover from the Edward Snowden leaks revealing many of its more sensitive collection methods, one of the larger CAs in the industry is making some key changes that will provide domain owners and users with greater transparency about the validity and security of the certificates it issues.
GlobalSign, one of the five largest CAs in the industry, will soon be moving to a new platform that will incorporate a concept known as Certificate Transparency, which gives users and domain owners much more information about the certificates it issues and whether they should be trusted. The change is a subtle one, but it’s an important shift for a major CA. Despite their central place in the Internet’s trust infrastructure, most CAs tend to be fairly opaque and reluctant to release much in the way of information about their operations. GlobalSign’s adoption of Certificate Transparency, a concept forwarded by Google, is a move in the other direction, to give users more information about the certificates that they’re forced to trust on various sites.
“In the name of transparency we also will be adopting a proposal from Google called Certificate Transparency in our platform update next year. This will make it possible for the public at large to monitor all the certificates that we issue,” Ryan Hurst, GlobalSign’s CTO, said in a blog post.
“One part of how we believe this responsibility manifests itself is how we design, build and operate our services. When building our services we proactively consider state-sponsored attacks as part of our threat models. This means that sometimes we have to do things that are less efficient and more time consuming, but it also helps us protect against compromises from a well-funded and highly skilled adversary. This extends itself beyond our own engineering and operations practices to the service, hardware and software providers we choose to work with.”
Certificate Transparency is a system that Google has proposed that involves a network of certificate logs, monitors and auditors. The logs are public lists of issued certificates and have cryptographically verifiable records. Monitors watch the certificate logs and look for any signs of malicious certificates or certificates with bad permissions or weird properties. And the auditors ensure that the logs are behaving correctly and that every SSL certificate is in a log.
“When implemented, Certificate Transparency helps guard against several types of certificate-based threats, including misissued certificates, maliciously acquired certificates, and rogue CAs. These threats can increase financial liabilities for domain owners, tarnish the reputation of legitimate CAs, and expose Internet users to a wide range of attacks such as a website spoofing, server impersonation, and man-in-the-middle attacks,” Google’s description of the framework says.
Interestingly, Hurst said that GlobalSign has not received any requests for keys or key material that were not “legitimate”. His statement refers to recent stories about the NSA having a database of compromised cryptographic keys for various commercial products and communications systems. He also emphasized that the company’s privacy policy states that it will always notify customers any time it gets a request for user data, unless it’s prohibited by law from doing so.
“I want to assure you that we have never received a request from any government to forward any key material or to certify any keys with any identity, domain name or organization information that was not legitimate, and if we did we would fight that request to our fullest ability,” Hurst said.
“Furthermore, we are the only certificate authority that I am aware of who has committed to provide notice to customers when we receive any requests for their data and it is (and always has been) expressly against our policy to use the fact we are a publicly trusted CA to facilitate a MiTM (man-in-the-middle).”
The most recent revelations about the NSA’s cryptographic capabilities have raised a number of questions in the security and technology communities about the trustworthiness of the protocols in common use today and which products the NSA has been able to compromise.
