Security practices in issuing a certificate and why every Domain Sub Domain needs to be validated each time:
The urgent need for all commercial CAs to implement better security standards, starting with the CA/Browser Baseline Requirements, and the steps that Web browser developers, SSL certificate subscribers, and relying parties can to do hold CAs accountable for complying with these requirements. Symantec’s rigorous security and authentication practices lead the industry in reputation qualification measures to establish an online business’ credibility.
The core or “kernel” of trust in the PKI system rests the assumption that commercial CAs maintain a commitment to security that is beyond reproach. Digital certificates are verified using a chain of trust, and root CAs act as trust “anchors” for each certificate. Consequently, Web browser developers must be able to trust that CAs will do the following:
- Verify the identity of the requester.
- Ensure that there is no way to issue a certificate without a permanent record.
- Keep unalterable logs of all certificates they have signed.
- Audit those logs frequently for evidence of unauthorized issuance.
- Proactively communicate security events and certificate revocations.
- Protect their infrastructure to prevent intrusion or fraudulent certificate issuance.
Certificate Authority Best Practices 5, when browser developers feel confident that a CA is living up to these responsibilities, they include that CA’s root certificate in the browser’s Root CA store. All certificates in a browser’s root store are trusted equally.
In March 2011, an attack compromised the access credentials of a Comodo partner in Italy and used the partner’s privileges to generate fraudulent SSL certificates.
- In May, It was reported that another Comodo partner was hacked: ComodoBR in Brazil.
- In June, StartCom, the CA operating StartSSL was attacked unsuccessfully. In July, an internal audit discovered an intrusion within DigiNotar’s infrastructure indicating compromise of their cryptographic keys. The breach of these keys resulted in the fraudulent issuance of public key certificates to a several dozen domains, including the domain Google.com.
- On August 28, 2011 a false DigiNotar wildcard SSL certificate issued for Google was discovered still in the wild.
- In September 2011, Dutch government and other Diginotar customers suddenly had to replace all Diginotar certificates as the major Web browser vendors removed Diginotar from their trusted root stores. DigiNotar files for bankruptcy
But last year, we witnessed a variety of bad actors targeting CAs ranging from recreational hackers to serious cyber terrorists, and we see no indication that these threats will slow down or go away. Over the next several years, it is critical that CAs develop business strategies and top-down security policies that address the following key needs:
- Diligent investment in and upkeep of a secure application and network infrastructure
- 2. Rigorous and consistent authentication and identity validation processes
- Comprehensive auditing and responsible breach notification practices
- Verification practices – CAs should confirm that applicants either have the right to use, or had control of, the Fully-Qualified Domain Name(s) and IP address(es) listed in the Certificate, or was authorized by a person having such right or control (e.g. under a Principal-Agent or Licensor-Licensee relationship) to obtain a Certificate containing the Fully-Qualified Domain Name(s) and IP address(es).
- Personnel security – Prior to the engagement of any person in the Certificate Management Process, whether as an employee, agent, or an independent contractor of the CA, the CA should verify the identity and trustworthiness of such person.
The security breaches of 2011 demonstrated that not all CAs are created equal, and that we have to raise the bar and do the right thing to ensure the long-term sustainability of the CA industry, and to protect the trust model that the Internet relies on every single day. No security infrastructure is immune to breaches, but CAs must be willing to invest in infrastructure and commit to making security their first priority.