SALT LAKE CITY--(BUSINESS WIRE)--Last year, researchers affiliated with Google decided that Symantec, and their affiliated Certificate Authorities (CA), had mis-issued thousands of transport layer security (TLS) certificates. As a result, Chrome researchers announced a formal plan to remove trust from Symantec-issued certificates. According to Walter Goulet, product manager for cloud products at cyber security market leader Venafi, the tension between browsers and CAs will increase in 2018.
“Concern about certificate issuance practices from browser companies is not a new phenomenon,” said Goulet. “However, these concerns are now driving action from browser companies and this will combine with other industry changes in 2018. As a result, it’s very likely that the tension between CAs and browsers will continue to escalate, which will increase the pressure on business models in the CA industry.”
Goulet believes the interdependency between browsers and CAs will be affected by three major market changes:
- Browser makers will take a more active role in policing CAs. Last December, information security researcher Ian Carroll conducted an experiment that revealed how phishers could legally obtain Extended Validation (EV) certificates for malicious websites. Citing Carroll’s report as an example, many browser makers are pointing out that CA issuance practices require additional oversight. As a result of this and Google’s decision to remove trust from Symantec certificates, CAs should expect more scrutiny from browser companies.
- Web browsers will de-emphasize or remove certificate security warnings. Browsers may move away from issuing any type of certificate warning, since research has indicated that these warnings rarely impact user behavior. For example, because most users don’t understand EV certificates and they generally don’t read security details, Chrome recently released an update that wouldn’t allow users to view certificate details unless they accessed the Developer Tools section.
- CA business models will have to evolve. As browser makers take a more active role in determining which CAs they will trust and as they modify the user experience connected with weak, mis-issued or vulnerable certificates, CA business models will change. In addition to automating and streamlining the issuance of EV certificates to compete with Let’s Encrypt, it’s likely that CAs will invest in more automation and develop new product offerings to differentiate themselves from competitors.
“I don’t expect the relationship between CAs and browsers to shift overnight, but we will see radical changes as the year progresses. The Google Symantec event was just the beginning of larger changes that will ultimately impact internet security and privacy for all of us,” added Goulet.
For more details, please visit: https://www.venafi.com/blog/cas-and-browsers-three-changes-expect-2018
Venafi is the cyber security market leader in machine identity protection, securing machine-to-machine connections and communications. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise — on premises, mobile, virtual, cloud and IoT — at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with machines that are not trusted.
With 31 patents currently in its portfolio, Venafi delivers innovative solutions for the world’s most demanding, security-conscious Global 2000 organizations. Venafi is backed by top-tier investors, including Foundation Capital, Intel Capital, Origin Partners, Pelion Venture Partners, QuestMark Partners, Mercato Partners and NextEquity. For more information, visit: www.venafi.com.