Establishing Digital Trust: Don't Sacrifice Security for Convenience
In recent years, SSL Certificate Authorities (CAs) have come under attack by researchers and hackers as a possible weak link in the Internet security chain. The CAs are now fighting back with a new group known as the Certificate Authority Security Council (CASC).
The CASC aims to advance the state of Internet security and act as an advocacy and standards building group for the SSL industry. The CASC's initial membership consists of the largest CAs in the world, including GoDaddy, Symantec, Trend Micro, Comodo, DigiCert and Entrust.
"The reason for creating the Security Council is that there have been increased security threats against CAs from at least 2011," said Kirk Hall, operations director, Trust Services at Trend Micro.
In 2011, SSL CA Comodo was breached, in an exploit originally identified as a nation state attack sponsored by the government of Iran. SSL CA DigiNotar was also breached in 2011 in an exploit that enabled attackers to issue fraudulent certificates for Google.com. Earlier this year, SSL CA TURKTRUST also issued illegitimate SSL certificates for Google.com.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
According to Hall, CAs have been actively trying to improve security since 2005, via the CA Browser Forum group. Hall said the CAs felt they needed a new organization with a voice that could move forward on projects that are importance to the CAs.
One of the CASC's goals is to help improve the SSL protocol itself. That effort will include improving how browser and server software works to support SSL. It also includes efforts to help CAs improve operations.
SSL Security Today
Though a few SSL CAs have been found somewhat lacking in recent years, Hall argued that CAs deserve credit for the security work they have done to date. "In my mind, no other industry group has done more to regulate itself through auditable standards than SSL CAs," he said.
Hall noted that the CA Browser Forum was created in 2005 to communicate about SSL. The first effort from the forum were the EV-SSL guidelines in 2007. EV-SSL (Extended Validation) SSL certificates are intended to provide an additional layer of trust and integrity verification into SSL certificate ownership.
According to Hall, the first public report of a wrongly-issued SSL certificate by a CA was in 2001. Over the last 12 years, Hall argued that CAs have done a stellar job of maintaining trust and security.
Noting that there are some 2 million trusted certificates issued every year by all CAs worldwide, Hall said. "We estimate that since 2001, there have been approximately 1,000 wrongly-issued certificates."
Of those wrongly-issued SSL certificates, half are directly attributable to DigiNotar, the disgraced CA that was hacked by attackers. Hall characterizes the other half as simply "mistakes" where no system or infrastructure level hacks occurred.
Doing the math, Hall estimates that since 2001 approximately 91 bad SSL certificates have been issued each year. That provides an accuracy rate of approximately 99.995 percent since 2001.
The first project the CASC is undertaking is around the critical issue of certificate revocation. Ryan Hurst, chief technology officer at SSL CA GlobalSign, told eSecurity Planet that poorly configured SSL servers still run older versions of SSL/TLS that do not support more modern cryptographic suites such as AES-GCM.
Some website owners haven't moved over to newer versions of SSL/TLS due to performance issues. Websites do have control over the way that SSL certificate revocation works, which can impact performance.
"When a browser visits a website, the browser makes a request to the CA to check to see if the certificate is valid," Hurst said.
That validation request occurs over the Online Certificate Status Protocol (OCSP). The OCSP transaction request happens over a new TCP/IP socket and requires an additional DNS lookup as well as data transfer.
"While CAs operate robust infrastructure for doing those things, a request that is made has a performance cost associated with it," Hurst explained. "No content is downloaded from the target server until the OCSP check has been completed."
The new OCSP stapling effort allows a Web server to check its own status with the CA. The Web server will get back a properly signed and cryptographically verifiable message. That certificate validation check is then stored locally on the Web server and can be passed to Web browser clients.
"This saves the DNS lookup, the TCP/IP socket and the additional downloading of data, which addresses the perceived performance delay of deploying SSL/TLS," Hurst said.
OCSP stapling is only available on the most recent versions of SSL/TLS, however. The CASC hopes that if it evangelizes the OCSP stapling feature, more organizations will update to newer versions of SSL/TLS.
While OCSP stapling will help improve performance, it would not have made a big difference in the most recent SSL CA attacks.
SSL CAs have root certificate trust which is baked into major Web browsers. A CA trust is revoked if browser vendors, such as Microsoft and Mozilla, remove the trust. "We do revoke intermediate CAs," Hurst said.
Hurst explained that OCSP-type revocations more commonly occur when a Web server operator loses a key or there is a Web server security breach.
Revocation checking is crucial to solving SSL security incidents, stressed Trend Micro's Hall.
"It's the right response for a CA to revoke bad certificates," Hall said. "As long as revocation checking is on, that should be sufficient that a given certificate should not be trusted."
Additionally, browser vendors are not just relying on OCSP. Browsers also can blacklist a potentially breached or exploited CA to provide an additional layer of security.
"That way users get a double hit," Hall said. "There is revocation checking as well as the browser that will tell you that something shouldn't be trusted."
Hall added that it's easier now for browser vendors to push out CA updates, since the browsers themselves are updated more frequently than the past.
"But really, OCSP revocation checking is the first line of defense," Hall said.