Certificate Authorities to push for better certificate-revocation checking
The newly formed Certificate Authority Security Council will raise awareness about OCSP stapling
IDG News Service - Several Certificate Authorities (CAs) have formed an advocacy group called the Certificate Authority Security Council (CASC), which will focus on promoting new security standards, policies and best practices for SSL (Secure Sockets Layer) deployment on the Web.
CASC was launched on Thursday and its member list includes representatives from Symantec, Trend Micro, Comodo, DigiCert, Entrust, GlobalSign and Go Daddy. CAs are organizations that issue digital certificates.
The group's first efforts will focus on educating Web server administrators, software vendors, browser developers and end users about the importance of certificate-revocation checking and the benefits of adopting and implementing a mechanism called OCSP stapling -- OCSP stands for Online Certificate Status Protocol.
Ensuring that certificate-revocation information reaches users in a timely manner is very important, especially in light of several security breaches that affected Certificate Authorities during the past few years and resulted in rogue certificates for high-profile domains being issued fraudulently.
CAs use two mechanisms to announce certificate revocations: certificate-revocation lists (CRLs) that are updated periodically and OCSP responders -- servers that respond on-the-fly to certificate-revocation checks initiated by clients.
When encountering a digital certificate, modern browsers first verify that it is signed by a trusted CA and then send an OCSP request to that CA's OCSP responder in order to check if the certificate is still valid -- whether it has, for example, expired or has been revoked for some reason.
However, if their OCSP and CRL requests fail because of network errors, most browsers will, by default, accept the certificate and proceed to establish the connection. This is a soft-fail approach that favors usability over security.
For example, an attacker who has the ability to launch a man-in-the-middle attack using a rogue digital certificate can intercept the OCSP requests of the victim's browsers and block them, forcing the browser to accept the certificate even if the issuing CA revoked it in the meantime.
OCSP also raises privacy concerns because by contacting the CA to check the validity of a certificate, the browser indirectly tells the CA that the user visited a certain website.
OCSP stapling resolves both the security and privacy issues of current OCSP implementations, because the client no longer contacts the CA's OCSP responder directly. Instead, the HTTPS server queries the OCSP responder periodically and caches a signed and time-stamped response which is then included -- stapled -- in the SSL handshake with clients.
OCSP stapling also improves performance because it decreases the time required to establish a HTTPS connection by eliminating the additional request sent by the client to a third party.
"The CASC plans to educate affected parties in the coming months through blog posts, conference presentations, and other resources that will help people learn about OCSP stapling and make it easier for web server administrators to understand how to enable OCSP stapling on their servers," CASC said Thursday on its website. "We also plan to encourage wider adoption of this critical technology among software vendors and browsers."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts