Last year 2011 was a bad year for the image of the Certification Service Providers.
To summarize, some of the weaknesses and vulnerabilities exploited were:
- The most critical servers contained malicious software that can usually be detected by an antivirus.
- All CA servers belonged to the same Windows domain, making it possible to access them all with a single username / password.
- The admin password was not robust and easy to obtain by brute force.
- Software installed on the public Web server was outdated and had not applied the appropriate patches.
- There was no antivirus protection on the investigated servers.
- The certificate issuing system is fully automated without human intervention.
It should be noted that the attacks are focused on the issuance of SSL certificates, and not the qualified certificates that allow the hacker to carry out electronic signatures with legal binding.
The big fishes move …
After the incidents, both Microsoft and the Mozilla Foundation contacted with the Certification Service Providers whose certificates are distributed, to:
- Inform of amendments to the certificate distribution agreements, tightening controls to be performed for SSL certificate issuance
- Inquire about whether they have detected any abnormal behavior or attempted intrusion into their systems.
In addition, previous players and Adobe (EN) stop distributing certificates from providers affected by the attacks.
These measures affect all companies and entities that had issued SSL certificates with Comodo or DigiNotar, becoming invalid (revoked) certificates, and therefore, useless. For the rest, just had an internet a little safer, because the Certificates Providers who did not do things right, were no longer valid
…. and lobby …
The CA/Browser Forum is “a voluntary organization of leading certification authorities (CAs) and vendors of Internet browser software and other applications.” The members include Microsoft, Mozilla Foundation, Apple, Google, Thawte, Entrust, Comodo (?!), etc …
From this lobby were defined, in June 2007, the requirements and controls for the issuance of EV SSL certificates (Extended Validation), which, roughly, are SSL certificates that have passed more controls for their issuance, so are safer starting.
But the incidents of Comodo, DigiNotar and Globalsign, did not affect EV certificates, which represent barely a tiny minority of SSL certificates that populate the Internet, so somethins had to be done for the issuance and admission of “usual” SSL certificates. And so, in December 2011 the CA/Browser Forum released the Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.0, enforceable by the Certification Service Providers before next July 1, 2011 (in two weeks, come on) if they want the Internet browser manufacturers association members continue to distribute their certificates marked as “trusted” to establish SSL connections.
Will they (CSP) miss the hook?
… and finally, the competent authority
In Spain, the General Directorate of Services of the Information Society, in the exercise of their supervisory and control powers conferred by law, have urged the Certification Service Providers who have made the communication referred to in Article 30.2 of Law 59/2003 the Ministry of Industry, Energy and Tourism to inform him of the measures taken from the cases that open this post.
We do not know (at least me) is what will be considered “adequate and appropriate measures”, if according to any international standard, for example or the previously mentioned Baseline Requirements for bla bla …
The fact is that, from my point of view, big players and the authority has acted in a timely manner, diligently and with the strength needed for having today a safer Internet than early 2011.
You know, if you liked this post, you will make us a great favor if you share it using any of the buttons below. Thank you!