How the Digital Certificates Ecosystem is Being Strengthened


Given the many ways in which digital certificates can be misused and the severe repercussions of such incidents, several initiatives have been launched to strengthen the ecosystem within which the certs are issued, validated and utilized. This is a start of what I hope will be a slew of projects and security improvements that will gradually gain foothold in enterprise and personal environments.

Current efforts to improve the state of the web’s Public Key Infrastructure (PKI) include:

  • Operating systems and software is becoming more mindful of the need to maintain up-to-date lists of revoked certificates. For example, while Internet Explorer on Windows XP only enabled code-signing revocation checking by default, Vista and higher also checks for the revoked server certificates used in SSL/TLS connections by default, according to Websense. Microsoft has also enhanced its mechanism for automatically distributing updates to the listing of revoked certificates.
  • EFF launched the SSL Observatory project, to catalog the SSL/TLS certificates used by websites to facilitate the "search for vulnerabilities, document the practices of Certificate Authorities, and aid researchers interested the web's encryption infrastructure." Such initiatives might assist in understanding the scope of nature of issues that affect HTTPS-browsing.
  • Google launched the Certificate Transparency project, aimed at strengthening the PKI ecosystem by "providing a publicly accessible place for issued certificates to be published." According to the initial proposal, the project's primary goal is to make it difficult for malicious or careless CAs to "issue a certificate for a domain without the knowledge of the owner of that domain."

Of the efforts to strengthen the web's PKI environment, the pinning of the certificates or the associated public keys seems most promising.

Many information security practices are based on the principle of denying access by default, unless there is an explicit need to grant access. For instance, most network firewalls only allow specific traffic, instead of allowing all ports and blocking only risky ones. Soon, we might need to exercise the same degree of control over digital certificates trusted by our systems. The tools available to us for accomplishing this are still awkward and immature. This will change.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more