Responding to the increasing number of threats aimed at certificate authorities and the ecosystem of trusted online transactions they represent, seven certificate authorities have come together to form an advocacy group to advance security standards and promote best practices. The past few years have not been easy for certificate authorities (CAs). CAs issue and validate the digital certificates that form the foundation of trusted transactions online, essentially allowing two parties to prove they are who they say they are. But in the past several years, CAs like RSA, DigiNotar and Comodo have been the victims of breaches that potentially allowed hackers to create their own fraudulent certificates. Last week, a banking Trojan was found in the wild with a valid digital certificate purchased from a CA using a fraudulent identity. The problem is not an academic one. Last week, security firm Bit9 disclosed that hackers had penetrated its network, gained access to several of its digital certificates and used them to masquerade as Bit9 to install malware on the systems of three of Bit9’s customers. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe Responding to these increasing threats—sophisticated hacker networks, global cybercriminal organizations and state-sponsored espionage—seven global CAs came together on Thursday to form the Certificate Authority Security Council (CASC), an advocacy group aimed promoting best practices to advance the security of websites and online transactions. The CAs include Comodo, DigiCert, Entrust, GlobalSign, Go Daddy, Symantec and Trend Micro. Together they represent 95 percent of all certificates issued, says Kirk Hall, operations director for Trust Services at Trend Micro. “There have been increased threats against CAs in the past several years,” says Hall. “There was room for us to do more working together as CAs.” “There’s a surprising amount of things that we can do with users and others involved in deploying certificates that can make the system much stronger,” he adds. CASC Will Start by Promoting OCSP StaplingCASC’s first initiative will be a series of educational and advocacy efforts related to best practices in SSL deployment, particularly online certificate status checking and revocation. “If we look at the SSL ecosystem as it exists today, there’s a few things that could be better,” says Ryan Hurst, CTO of GlobalSign. “SSL isn’t deployed as widely as everyone would like. And even people that deploy SSL only deploy it on a portion of their sites because they’re concerned about performance.” For that reason, the first initiative will highlight the benefits of Online Certificate Status Protocol (OCSP) stapling to web server administrators, software vendors, browser developers and end users. OCSP stapling is an alternative approach to OCSP, which is used to check the revocation status of X.509 certificates. OCSP is often seen as the culprit behind the performance hits that Hurst says prevents people from deploying SSL more broadly. “OCSP stapling actually goes a long way toward reducing the performance tax associated with performing that check and thus speeds up SSL,” Hurst says. Hurst notes that advocating best practices around code signing is likely to be a future initiative of CASC. “This is just the first of many projects that we as a group will work on together,” Hurst says. Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Thor at tolavsrud@cio.com Related content opinion The changing face of cybersecurity threats in 2023 Cybersecurity has always been a cat-and-mouse game, but the mice keep getting bigger and are becoming increasingly harder to hunt. By Dipti Parmar Sep 29, 2023 8 mins Cybercrime Security brandpost Should finance organizations bank on Generative AI? Finance and banking organizations are looking at generative AI to support employees and customers across a range of text and numerically-based use cases. By Jay Limbasiya, Global AI, Analytics, & Data Management Business Development, Unstructured Data Solutions, Dell Technologies Sep 29, 2023 5 mins Artificial Intelligence brandpost Embrace the Generative AI revolution: a guide to integrating Generative AI into your operations The CTO of SAP shares his experiences and learnings to provide actionable insights on navigating the GenAI revolution. By Juergen Mueller Sep 29, 2023 4 mins Artificial Intelligence feature 10 most in-demand generative AI skills Gen AI is booming, and companies are scrambling to fill skills gaps by hiring freelancers to make the most of the technology. These are the 10 most sought-after generative AI skills on the market right now. By Sarah K. White Sep 29, 2023 8 mins Hiring Generative AI IT Skills Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe