Last year, researchers affiliated with Google decided that Symantec, and their affiliated Certificate Authorities (CA), had mis-issued thousands of Transport Layer Security (TLS) certificates. As a result, Chrome researchers announced a formal plan to remove trust from Symantec-issued certificates. The first deadline of this plan hits in mid-April, and it seems clear that relationship between browsers and CAs is going to continue to change this year.
Now, this isn’t the first time browser companies have consistently expressed concern about the certificate issuance practices of CAs. However, Google’s actions are the first time that these concerns have been translated into significant action. It’s still early, but it’s pretty clear that the tension between CAs and browsers is likely to escalate, and this will increase the pressure on business models in the CA industry.
Ultimately, I believe the interdependency between browsers and CAs will be affected by three major market changes:
Browser makers are taking a more active role in policing CAs. Last December, information security researcher Ian Carroll conducted an experiment that revealed how phishers could legally obtain Extended Validation (EV) certificates for malicious websites. Citing Carroll’s report as an example, many browser makers are pointing out that CA issuance practices require additional oversight. This report, and Google’s decision to remove trust from Symantec certificates indicate that CAs should expect more scrutiny from browser companies in the coming months.
Web browsers will de-emphasize or remove certificate security warnings. Browsers may move away from issuing any type of certificate warning, as their research shows that these warnings rarely impact user behavior. And really, what do you do when you visit a website and get a certificate warning? You probably click through most of the time.
Here’s a recent example of the way this is already starting to happen; because most users don’t understand EV certificates and they generally don’t read security details, Chrome recently pushed out an update that wouldn’t allow users to view certificate details unless they accessed the Developer Tools section. Similar decisions could have a major impact on the sale of EV certificates, as validated information obtained by a CA can only be shown when browsers display all information from EV certificates in security warnings.
CA business models will have to evolve. As browser makers take a more active role in determining which CAs they will trust and modify the user experience connected with weak, mis-issued or vulnerable certificates, the ramifications of these changes will force CAs to adjust and streamline their business models.
If browsers suppress certificate warnings for EV certificates, CAs will have to work harder to demonstrate the value for these higher margin products. Furthermore, CAs will have to find new ways to stay competitive, especially as Let’s Encrypt continues to exert downward pressure on the price of certificates. In addition to automating and streamlining the issuance of EV certificates, CAs will likely develop new product offerings to differentiate themselves from competitors.
Obviously, I don’t expect the relationship between CAs and browsers to shift overnight, but we are like to see significant changes as the year progresses. The Google Symantec event was just the beginning of larger changes that will ultimately impact the internet security and privacy of all users.
What do you think will happen with browsers and CAs in 2018?