Last year, researchers affiliated with Google decided that Symantec, and their affiliated Certificate Authorities (CA), had mis-issued thousands of Transport Layer Security (TLS) certificates. As a result, Chrome researchers announced a formal plan to remove trust from Symantec-issued certificates. The first deadline of this plan hits in mid-April, and it seems clear that relationship between browsers and CAs is going to continue to change this year.
Now, this isn’t the first time browser companies have consistently expressed concern about the certificate issuance practices of CAs. However, Google’s actions are the first time that these concerns have been translated into significant action. It’s still early, but it’s pretty clear that the tension between CAs and browsers is likely to escalate, and this will increase the pressure on business models in the CA industry.
Ultimately, I believe the interdependency between browsers and CAs will be affected by three major market changes:
Here’s a recent example of the way this is already starting to happen; because most users don’t understand EV certificates and they generally don’t read security details, Chrome recently pushed out an update that wouldn’t allow users to view certificate details unless they accessed the Developer Tools section. Similar decisions could have a major impact on the sale of EV certificates, as validated information obtained by a CA can only be shown when browsers display all information from EV certificates in security warnings.
If browsers suppress certificate warnings for EV certificates, CAs will have to work harder to demonstrate the value for these higher margin products. Furthermore, CAs will have to find new ways to stay competitive, especially as Let’s Encrypt continues to exert downward pressure on the price of certificates. In addition to automating and streamlining the issuance of EV certificates, CAs will likely develop new product offerings to differentiate themselves from competitors.
Obviously, I don’t expect the relationship between CAs and browsers to shift overnight, but we are like to see significant changes as the year progresses. The Google Symantec event was just the beginning of larger changes that will ultimately impact the internet security and privacy of all users.
What do you think will happen with browsers and CAs in 2018?