Computer Security: Change is Scary, but Necessary
Everybody has probably heard a definition of insanity along the lines of “doing the same thing over and over again and expecting different results.” My feeling is that this definition needs to be modified slightly for computer security. When you’re working on security, insanity is doing the same things over and over again, year after year, and expecting the same results. There are many opportunities to improve the various PKIs that we rely upon for secure e-email, document signing, financial transactions and web browsing. Sometimes, these opportunities have been missed. For example, the validation requirements for extended validation (EV) certificates have hardly been changed since they were introduced 10 years ago.
Times change; threats change. The world changes and old assumptions may not be relevant anymore. Even if nothing else changes, attackers are constantly improving their techniques and adapting to existing defenses. Defenses must be constantly monitored, evaluated, upgraded and replaced when they become obsolete. An unmaintained wall inevitably crumbles into rubble.
This is difficult because we are inherently creatures of habit. We feel safer around familiar things, and often view with suspicion things that are unfamiliar or different. Changes introduce uncertainty and risk. Keeping things the same appears to be an easier choice, because there is only one choice. When changes are proposed, there typically are lots of possible options. Which changes would be good, and which would be bad? It’s difficult to know. It’s always tempting to retreat to the safety of the familiar.
However, this safety is an illusion. The security industry needs to continue moving forward, because attackers are constantly adapting. This is why I get very frustrated when I hear people defending certain practices in the industry with arguments such as, “We’ve been doing things this way for 20 years.” The technology sector was a very different place 20 years ago; even the most advanced security practices from back then are almost all obsolete!
This is why, when we became aware of some of the insecure validation practices related to methods No. 1 and No. 5 of the CAB Forum baseline requirements, we pushed for the methods to be either improved or eliminated. When none of the proposed alternatives were found to be adequate, we proposed a ballot to remove the methods, and are happy that certificate authorities will need to cease using the insecure method by Aug. 1.
This is why we have been very involved in the Network Security Working Group to update those requirements to be more in line with modern security practices. We are leading the effort to push for better requirements for two-factor authentication and updating the password requirements to be in line with modern security practices. This includes removing the requirement for password rotation every 90 days, which has been shown to result in weaker passwords, not stronger ones. This is why we disagree with those who have questioned the need for a Network Security Working Group, or who have proposed the requirements be scrapped instead of upgraded. Continuing to maintain and upgrade all our standards is not an optional activity.
This is why we continue to be extremely active on the topic of governance reform at the CA/Browser Forum. We see a bright future for the CA/Browser Forum, where it can expand to produce minimum security requirements for all PKI use cases, not just web certificates. We are strong supporters of auditable standards for the issuance of S/MIME certificates, client certificates and code signing certificates and think there needs to be reasonable minimum standards for validation and issuance of such certificates.
This is why we are huge fans of identity and support many efforts to add more identity information to certificates, such as GLIEF identifiers and ETSI organizationIdentifiers, as long as there exist standardized and auditable rules for the vetting of such information. We encourage relying parties and application software suppliers to make use of such information to help users make better trust decisions about the people and companies they interact with online, both on and off the web. We continue to believe that the higher standards of vetting for extended validation certificates is important for the security of high-value websites.
During the second half of the year we will continue to provide industry leadership as we constantly work to improve certificate ecosystems.
For example:
- We are working with browsers and other certificate authorities to allow domain owners to publish their contact information in DNS, to work around problems with registrars and registries that have unwisely used GDPR as an excuse to remove any ability to use WHOIS to contact domain owners.
- We support increased transparency around validation methods used to issue digital certificates, including which method was used to validate a particular certificate. We believe that any details about the issuance of digital certificates that does not need to be private should be public.
- We are huge fans of automation, and are working hard to support the ACME protocol, and build other tools to make it easier to use and manage certificates.
- And many other things I can’t talk about just yet!
All of these changes going on means this is a particularly exciting time to be involved in improving the standards for public key infrastructures. Let’s all work together and figure out how these standards can continue improving in the second half of this year!
