INTELLIGENT BRANDS // Enterprise Security
What Google’s decision to remove
trust from Symantec certificates will
mean for certificate authorities in 2018
/////////////////////////////
L
ast year, researchers affiliated with
Google decided that Symantec and
their affiliated Certificate Authorities
(CA), had mis-issued thousands of transport
layer security (TLS) certificates. As a result,
Chrome researchers announced a formal
plan to remove trust from Symantec-issued
certificates. According to Walter Goulet,
Product Manager for Cloud Products at
cybersecurity market leader Venafi, the
tension between browsers and CAs will
increase in 2018.
“Concern about certificate issuance
practices from browser companies is not a
new phenomenon,” said Goulet. “However,
these concerns are now driving action from
browser companies and this will combine
with other industry changes in 2018. As
a result, it’s very likely that the tension
between CAs and browsers will continue to
escalate which will increase the pressure on
business models in the CA industry.”
Goulet believes the interdependency
between browsers and CAs will be affected
by three major market changes:
• Browser makers will take a more
active role in policing CAs. Last
month, information security researcher
Ian Carroll conducted an experiment
that revealed how phishers could
legally obtain Extended Validation (EV)
certificates for malicious websites. Citing
Carroll’s report as an example, many
browser makers are pointing out that
CA issuance practices require additional
oversight. As a result of this and Google’s
decision to remove trust from Symantec
certificates, CAs should expect more
scrutiny from browser companies.
• Web browsers will de-emphasise or
remove certificate security warnings.
Browsers may move away from issuing
82
INTELLIGENTCIO
any type of certificate warning, since
research has indicated that these
warnings rarely impact user behaviour.
For example, because most users don’t
understand EV certificates and they
generally don’t read security details,
Chrome recently released an update that
wouldn’t allow users to view certificate
details unless they accessed the
Developer Tools section.
• CA business models will have to evolve.
As browser makers take a more active role
in determining which CAs they will trust
and as they modify the user experience
connected with weak, mis-issued or
vulnerable certificates, CA business models
will change. In addition to automating and
streamlining the issuance of EV certificates
to compete with Let’s Encrypt, it’s likely
that CAs will invest in more automation
and develop new product offerings to
differentiate themselves from competitors.
“I don’t expect the relationship between
CAs and browsers to shift overnight, but
we will see radical changes as the year
progresses. The Google Symantec event was
just the beginning of larger changes that
will ultimately impact Internet security and
privacy for all of us,” added Goulet. n
www.intelligentcio.com