Consortium Issues Baseline Requirements for SSL

Tuesday, December 20, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

The Certification Authority/Browser Forum has issued a set of baseline security requirements for authentication authorities to implement in an effort to bolster the effectiveness of secure sockets layer digital certificates.

Digital certificates are used by internet browsers to recognized legitimate websites and protect surfers from inadvertently exposing themselves to malware, phishing scams, impostors and spoofed landing sites.

"The primary goal of these Requirements is to enable efficient and secure electronic communication, while addressing user concerns about the trustworthiness of Certificates. The Requirements also serve to inform users and help them to make informed decisions when relying on Certificates," the release states.

SSL certificates are issued by only a handful of companies known as Certificate Authorities, such as VeriSign, GoDaddy, and the recently compromised Comodo.

Systemic weaknesses and a general lack of oversight governing the process used to issue digital certificates, key to the SSL standard used to validate legitimate websites, had prompted some security experts to wonder if that SSL may be hopelessly ineffective.

An improperly issued digital certificate for an unqualified domain name would allow an attacker to conduct exploits accompanied by validly signed and authenticated certificates.

“Right now, it's just an illusion of security. Depending on what you think your threat is, you can trust it on varying levels, but fundamentally, it has some pretty serious problems... The current security of SSL depends on these external entities and there's no reason for us to trust them. They don't have a strong incentive to behave well because they're not accountable" security researcher Moxie Marlinspike said last spring.

Other security experts agree that the issue comes down to accountability, and that CA's face no serious repercussions for a lack of due diligence in the issuing of digital certificates.

“In terms of what the CAs do, it seems like it's a bit of the old west. It doesn't seem like anyone is holding them accountable, even when something as severe as the Comodo incident happens," senior consultant Mike Zusman of security firm Intrepidus Group said previously.

The lack of accountability in the industry could lead to the issuing of certificates that present criminal enterprises with the opportunity to conduct large scale targeted cyber attacks that threaten businesses and their clientele.

Attempts to improve SSL security by internet browser providers is thwarted by the fact that blacklisting the root certificates for companies that have a record of issuing bad certificates would mean also blocking access to all the websites who have obtained valid certificates from the same companies.

The new guidance is not expected to have an immediate impact on SSL security, but they do represent a step in the right direction if the Certificate Authority system expects to remain relevant in the long run.

"These Requirements do not address all of the issues relevant to the issuance and management of Publicly-Trusted Certificates. The CA/Browser Forum may update the Requirements from time to time, in order to address both existing and emerging threats to online security. In particular, it is expected that a future version will contain more formal and comprehensive audit requirements for delegated functions."

The full set of baseline requirements can be found here:

Source:  http://www.cabforum.org/Baseline_Requirements_V1.pdf

Possibly Related Articles:
15332
General
Encryption SSL Browser Security Digital Certificates Trust Headlines HTTPS Guidelines Certificate Authority
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.