Skip to main content
banner image
venafi logo

CAs and Browsers: Three Changes to Expect in 2018

CAs and Browsers: Three Changes to Expect in 2018

ca certificate consolidation
February 7, 2018 | Walter Goulet

Last year, researchers affiliated with Google decided that Symantec, and their affiliated Certificate Authorities (CA), had mis-issued thousands of Transport Layer Security (TLS) certificates. As a result, Chrome researchers announced a formal plan to remove trust from Symantec-issued certificates. The first deadline of this plan hits in mid-April, and it seems clear that relationship between browsers and CAs is going to continue to change this year.

Now, this isn’t the first time browser companies have consistently expressed concern about the certificate issuance practices of CAs. However, Google’s actions are the first time that these concerns have been translated into significant action. It’s still early, but it’s pretty clear that the tension between CAs and browsers is likely to escalate, and this will increase the pressure on business models in the CA industry.

Ultimately, I believe the interdependency between browsers and CAs will be affected by three major market changes:

  • Browser makers are taking a more active role in policing CAs. Last December, information security researcher Ian Carroll conducted an experiment that revealed how phishers could legally obtain Extended Validation (EV) certificates for malicious websites. Citing Carroll’s report as an example, many browser makers are pointing out that CA issuance practices require additional oversight. This report, and Google’s decision to remove trust from Symantec certificates indicate that CAs should expect more scrutiny from browser companies in the coming months.
     
  • Web browsers will de-emphasize or remove certificate security warnings. Browsers may move away from issuing any type of certificate warning, as their research shows that these warnings rarely impact user behavior. And really, what do you do when you visit a website and get a certificate warning? You probably click through most of the time.

Here’s a recent example of the way this is already starting to happen; because most users don’t understand EV certificates and they generally don’t read security details, Chrome recently pushed out an update that wouldn’t allow users to view certificate details unless they accessed the Developer Tools section. Similar decisions could have a major impact on the sale of EV certificates, as validated information obtained by a CA can only be shown when browsers display all information from EV certificates in security warnings.

  • CA business models will have to evolve. As browser makers take a more active role in determining which CAs they will trust and modify the user experience connected with weak, mis-issued or vulnerable certificates, the ramifications of these changes will force CAs to adjust and streamline their business models.

If browsers suppress certificate warnings for EV certificates, CAs will have to work harder to demonstrate the value for these higher margin products. Furthermore, CAs will have to find new ways to stay competitive, especially as Let’s Encrypt continues to exert downward pressure on the price of certificates. In addition to automating and streamlining the issuance of EV certificates, CAs will likely develop new product offerings to differentiate themselves from competitors.

Obviously, I don’t expect the relationship between CAs and browsers to shift overnight, but we are like to see significant changes as the year progresses. The Google Symantec event was just the beginning of larger changes that will ultimately impact the internet security and privacy of all users.

What do you think will happen with browsers and CAs in 2018?

Related blogs

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

generic_blog_banner_image

The Need for Certificate Transparency

About the author

Walter Goulet
Walter Goulet

Walter Goulet writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat