Vulnerabilities / Threats
2/14/2013
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Major Certificate Authorities Unite In The Name Of SSL Security

Comodo, DigiCert, Entrust, GlobalSign, Go Daddy, Symantec, and Trend Micro form Certificate Authority Security Council (CASC)

Amid growing concerns of threats to and the integrity of the certificate authority (CA) infrastructure, the world's biggest CAs have banded together to promote and evolve stronger website security.

"We felt SSL needed a leader," says Jeremy Rowley, associate general counsel for DigiCert, which, along with Comodo, Entrust, GlobalSign, Go Daddy, Symantec, and Trend Micro, today officially launched the new organization. "We felt a group of CAs, rather than one CA," was a better approach, he says.

The first line of business for the new Certificate Authority Security Council (CASC) is to push the adoption of online certificate status protocol (OCSP) stapling for Web server administrators, software vendors, browser makers, and end users. OCSP stapling is a method of revoking invalid or expired digital certificates. It's an enhancement to the OCSP protocol that basically eliminates the need for Web users to check OCSP responses with the CA, and is more efficient because the Web server caches the response from the CA.

"In OCSP stapling, the Web server goes to the CA, gets a response signed by the CA, and keeps it at the Web server. So when the browser goes there in the SSL handshake ... it gets a response right away," says Bruce Morton, director of certificate services for Entrust. "There's less latency to users of that site. It's a performance enhancement a lot of users are looking for."

CASC plans to serve as a research, security advocacy, and education organization for the SSL CA world, its founders say. It plans to support the work of the CA/Browser Forum and other standards bodies, and to help develop enhancements to SSL and the security and operation of the CA process.

"CASC is not a standards body. Instead, we will work on helping people understand the critical polices on SSL and ... promote best practices in advancing the trust of CA operations," DigiCert's Rowley says. "Our main goal is to be an authoritative resource on SSL."

The organization also hopes to stem the problem of improperly configured SSL certificates on Web servers that has been spotlighted by the Qualys SSL Labs project, headed up by Qualys director of engineering Ivan Ristic.

"One of the things we're already talking about are some websites out there are improperly configuring SSL certs on their server," Rowley says. "So some of the things we are going to be releasing are documents to help with that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4403
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.ph...

CVE-2012-2930
Published: 2015-04-24
Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers...

CVE-2012-2932
Published: 2015-04-24
Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the (1) selitems[] parameter in a copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/...

CVE-2012-5451
Published: 2015-04-24
Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888.

CVE-2015-0297
Published: 2015-04-24
Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methos via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.