The certificate authority (CA) industry may have had a bad year back in 2011 but, according to one of its survivors, 2013 finds it in a better place.
Speaking to IT Security Guru, Henry Krumins, a senior director at GlobalSign, said that 2011 was a bad year for the industry, but said that “it defines who you are”.
“It was a bad year for the certificate authority industry, but SSL is far from broken and it’s still the best thing out there today. The events of 2011 galvanised the industry and as CAs are always likely to be a target for hackers, our core focus is more so now than ever before on how to mitigate these continuing threats and coming out of this eventful period has made the industry stronger,” he said.
Since then there has been little talk of certificate security, but in the past month the issue of certificate trust has been raised as US government SSL certificates expired
in the recent shutdown.
Krumins claimed that this situation could have been avoided, as there are lots of CA tools for automatic renewal, but said the main problem here was that as SSL certificates began to expire, website visitors were clicking through the warning messaging to reach their government run sites, inherently trusting it, but ignoring the browsers’ forewarnings.
“If website owners are letting their certificates expire and end users are more commonly seeing these warning messages, especially on highly trusted sites such as government owned ones, then it will desensitise users to website security. They will learn the behaviour to automatically click through the warning messages and one day could easily be sent to a spoof site”, he said.
He went on to say that the industry should be informing users that if they see a warning that essentially says “don’t trust this website” or “the SSL certificate on this site has expired”, it is not a good thing and they should not automatically bypass these advanced browser warnings.
Asked if there is a genuine risk to users and businesses about an expired certificate, Krumins said that even through the certificate has expired, it is still a secure connection with an SSL handshake, but users must not trust it.
“The danger from a business perspective is with regards to trust and who actually owns the site. If the SSL certificate has expired, the site is no longer verified by the issuing certificate authority and the site could be fraudulent. The reputation of the business can therefore be damaged as you wouldn’t trust the business after a period of time if warning messages continually appeared. The danger to the user as previously mentioned is that they too easily become desensitised to such warning messages and trust a site that could be a falsified. As a responsible CA we want the user to be safe and properly consider what is and what isn’t a trusted site. So if the site has this warning, they should lose that trust,” he said.
“If end users are desensitised in this way, you want to say ‘access this site at your own peril!’. Browser vendors currently do a good job at warning users even though messaging may vary slightly and there are tools out there for businesses to renew certificates and CAs go a long way to make it easy for them.”
GlobalSign, who was the first
CA in Europe, is unique. They want to restore trust in digital certificate security and make SSL a better understood technology, and are doing more than any other CA to improve the SSL ecosystem. They are leading the way with many initiatives, including making secure sites load faster so to improve its deployment. They also have forged technology partnerships with leading companies such as StopTheHacker, Netcraft and Qualys to offer value-added services for the full lifetime of their SSL certificates for on-going website security, such as malware monitoring, phishing alert detection and a SSL configuration checker tool.
“GlobalSign is arguably the largest pure-play Certificate Authority. Our focus has been, and always will be, on providing convenient and highly productive digital signature solutions for organisations of all sizes.” concluded Krumins.