How the Digital Certificates Ecosystem is Being Strengthened
Several initiatives are strengthening the digital certificate ecosystem: improved certificate revocation checking, EFF's SSL Observatory for cataloging certificates, Google's Certificate Transparency project, and certificate pinning in browsers and tools like EMET. Pinning—remembering which CAs should sign specific certificates—appears most promising.
Given the many ways in which digital certificates can be misused and the severe repercussions of such incidents, several initiatives have been launched to strengthen the ecosystem within which the certs are issued, validated and utilized. This is a start of what I hope will be a slew of projects and security improvements that will gradually gain foothold in enterprise and personal environments. Current efforts to improve the state of the web’s Public Key Infrastructure (PKI) include:
- Operating systems and software is becoming more mindful of the need to maintain up-to-date lists of revoked certificates. For example, while Internet Explorer on Windows XP only enabled code-signing revocation checking by default, Vista and higher also checks for the revoked server certificates used in SSL/TLS connections by default, according to Websense. Microsoft has also enhanced its mechanism for automatically distributing updates to the listing of revoked certificates.
- EFF launched the SSL Observatory project, to catalog the SSL/TLS certificates used by websites to facilitate the “search for vulnerabilities, document the practices of Certificate Authorities, and aid researchers interested the web’s encryption infrastructure.” Such initiatives might assist in understanding the scope of nature of issues that affect HTTPS-browsing.
- Google launched the Certificate Transparency project, aimed at strengthening the PKI ecosystem by “providing a publicly accessible place for issued certificates to be published.” According to the initial proposal, the project’s primary goal is to make it difficult for malicious or careless CAs to “issue a certificate for a domain without the knowledge of the owner of that domain.”
- Tools are starting to support certificate or public key pinning, which involves remembering the association between digital certificates and the CAs that are expected to have signed them. For instance, Google Chrome now rejects certificates issued to Google properties unless they were signed by the expected CAs. Similarly, Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) now allows administrators to “pin” certificates for any Windows applications.
- Network administrators are starting to examine certificate usage in corporate environments. This involves considering how to spot malicious outbound HTTPS activities, perhaps using network forensics tools to spot certs that weren’t signed by trusted CAs. Along these lines, Etsy described a proprietary tool called CAWatch that they used to record which CAs were regularly seen on their network with the goal of removing unnecessary CAs from users’ certificate stores.
Of the efforts to strengthen the web’s PKI environment, the pinning of the certificates or the associated public keys seems most promising.
Many information security practices are based on the principle of denying access by default, unless there is an explicit need to grant access. For instance, most network firewalls only allow specific traffic, instead of allowing all ports and blocking only risky ones. Soon, we might need to exercise the same degree of control over digital certificates trusted by our systems. The tools available to us for accomplishing this are still awkward and immature. This will change.