Frequently Asked Questions. Frequently Asked Questions: Securing the Future of Trust on the Internet

Transcription

1 FREQUENTLY ASKED QUESTIONS: SECURING THE FUTURE OF TRUST ON THE INTERNET Frequently Asked Questions Frequently Asked Questions: Securing the Future of Trust on the Internet

2 Securing the Future of Trust on the Internet CONTENTS Q1: What is PKI and how does it relate to SSL certificates?... 3 Q2: How do certificate authorities use PKI?... 3 Q3: Why is PKI so important to the future of the Internet?... 3 Q4: Why are some people questioning the future of the PKI ecosystem?... 3 Q5: Are there viable alternatives to PKI?... 4 Q6: What are the CA/Browser Forum Baseline Requirements? Q7: What are the key elements of a robust PKI ecosystem?... 4 Q8: What is an online revocation check and why is it important?... 5 Q9: What is soft-fail behavior and why does it create problems for online revocation checking?... 5 Q10: How can website operators help protect the PKI ecosystem?... 5 Q11: How can I be sure that the websites I visit are safe and trustworthy?

3 Q1: What is PKI and how does it relate to SSL certificates? PKI stands for public key infrastructure. PKI at its base form is an electronic information repository that ties entities to key pairs, but also includes the hardware, software, personnel and practices used to create and manage SSL certificates on the public Internet. TLS/SSL relies on PKI to provide authentication of the server to the client, and to optionally authenticate the client to the server. Q2: How do certificate authorities use PKI? The type of PKI used for SSL/TLS requires a third party to issue certificates used to mediate the authentication between entities interested in engaging in transactions. This third party verifies that the entity requesting a certificate is who or what the entity purports to be and then issues a certificate. Third parties that broker trust in this manner are called Certificate Authorities (CA). Symantec, the #1 provider of SSL online, operates a certificate-based PKI ( Symantec Trust Network ) to enable the worldwide deployment and use of SSL certificates by Symantec, its affiliates, their respective customers, subscribers, and relying parties. 1 Q3: Why is PKI so important to the future of the Internet? PKI is the only technology that can meet the rapidly growing need for online security and trust so that people can connect with confidence and safely share information online now and in the future. There are three key reasons why PKI provides the best platform for online security and trust: Massive scalability PKI has provided a stable platform for the growth of Web-scale e-commerce, and offers the economies of scale required to meet the rapidly growing demand for a secure online experience driven by mobile, cloud and social technologies. Authentication The PKI trust model provides a deterministic way to make assurances about the a) security, b) integrity and c) identity of an organization. Strong encryption PKI enables the use of encryption to ensure the confidentiality and integrity of private data when it is transmitted over the public Internet. PKI is the only single technology platform that delivers the economies of scale necessary for future growth; ensures trust between parties on first contact; and protects the confidentiality and integrity of data in transit on the public Internet. Q4: Why are some people questioning the future of the PKI ecosystem? The CA breaches in 2011 sparked a debate as to whether SSL certificate technology and the entire CA industry that distributes it is fundamentally broken. Fortunately, the answer is categorically and unequivocally no. SSL technology still provides excellent protection against evolving cyber security threats. With the right tools and processes, CAs should be fully capable of providing the greatest assurance possible that their certificates and the websites that use the certificates are genuine and safe for online business. 1 Netcraft SSL Survey, 6/2012; includes subsidiaries, affiliates, and partners. 3

4 However, the events of 2011 are proof-positive that best practices have not been consistently implemented, and that some CAs do not provide equal levels of assurance about security or trust. And yet under the current system, all CAs are trusted equally once they have been added to a browser s root list. This fundamental problem of equal trust without equal assurance must be addressed in order to ensure the future of the PKI ecosystem. Q5: Are there viable alternatives to PKI? A number of emerging technologies, such as DNSSec, Perspectives, and Sovereign Keys, have been proposed as possible solutions to the challenges currently facing PKI and SSL/TLS. While it is important to support and discuss these types of initiatives, they are all considered band-aids that solve point problems, not complete replacements for PKI. Furthermore, these proposals are also largely untested and unproven, whereas PKI has more than a decade of experience and expertise behind it something that can t be developed overnight, regardless of technical merits. Q6: What are the CA/Browser Forum Baseline Requirements? Symantec and other members of the CA/Browser Forum took the first step towards a more robust, sustainable PKI ecosystem in December 2011 with the release of Baseline Requirements for the Issuance and Management of Publicly- Trusted Certificates, the first international baseline standard for the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates natively trusted in browser software. This standard, which goes into effect on July 1, 2012, describes an integrated set of technologies, protocols, identity-proofing, lifecycle management, and auditing requirements that are necessary for the issuance and management of publicly-trusted certificates. Q7: What are the key elements of a robust PKI ecosystem? The importance of establishing common baseline requirements cannot be overstated. However, these requirements do not address all of the issues relevant to the issuance and management of trusted certificates on the public Internet, and are intended as a starting point of what is an ongoing effort to improve security practices. Symantec strongly believes that a healthy, robust PKI ecosystem requires three key pillars as its foundation: Strong, standardized certificate authority security policies and practices. A robust, agile and highly available digital certificate infrastructure. Stricter security standards for Web browser and Web server software. Some of these objectives can be met simply by following existing standards, guidelines and policies. Other objectives will require the disciplined implementation of stricter policies and stronger security specifications. All of these objectives must be met in order to ensure the long-term health of the PKI ecosystem and to prevent further erosion of trust. 4

5 Q8: What is an online revocation check and why is it important? In addition to protecting valid certificates, CAs have a duty to publish up-to-date status of certificates (whether a certificate is valid or revoked). Historically, they accomplished this by creating a Certificate Revocation List (CRL) and signing it with their private key. Web browsers regularly checked these CRLs to see if any certificates have been revoked. Today OCSP (Online Certificate Status Protocol) is the protocol most commonly used by browsers to obtain the revocation status of an SSL certificate, and obtaining quick responses to OCSP queries is critical to the user experience. The CA/Browser Baseline Requirements state that all CAs must operate and maintain its CRL and OCSP capability with resources sufficient to provide a response time of 10 seconds or less under normal operating conditions. 10 seconds is a very long time for a user to wait for a response. Symantec alone handles on average 4.5 billion OCSP lookups every day, with an average response time of less than half a second, and typically updates its OCSP and CRL systems within 5 minutes of revocation. Q9: What is soft-fail behavior and why does it create problems for online revocation checking? Currently, most Web browsers use a soft-fail approach to online revocation checks; blocking access to the website only if a revoked response is returned. If no response is received, the browser allows the user to continue with no warning. Symantec believes that Web browser developers can and should implement hard fail behavior so that users are stopped from (or at least warned before) proceeding to a website when a revocation check fails. This feature should not impact the user experience if CAs live up to their responsibility and provide timely, reliable responses to online revocation checks. Q10: How can website operators help protect the PKI ecosystem? The first step is to implement Always On SSL, a fundamental, cost-effective security measure that provides end-to-end protection for website visitors. Always On SSL is not a product, service, or replacement for existing SSL certificates, but rather an approach to security that recognizes the need to protect the entirety of a user s session, not just the login screen. Always On SSL starts with the site-wide use of HTTPS, but it also means setting the secure flag for all session cookies to prevent their contents from being sent over unencrypted HTTP connections. For additional security and trust, extended validation (EV) SSL Certificates offer the level of authentication and trigger browsers to give users a very visible indicator that the user is on a secured site by turning the address bar green. This is valuable protection against a range of online attacks. A Symantec sponsored consumer survey of internet shoppers in Europe, the US and Australia showed the SSL EV green bar increases the feeling of security for most (60 percent) shoppers. 2 2 Symantec Online Consumer Study (UK, France, Germany, Benelux, US and Australia) conducted in January

6 SSL/TLS alone can t protect against all Web-based attacks, but CAs such as Symantec offer daily malware and vulnerability scanning as part of their online trust services, helping customers minimize the risk of malware infection, and to remediate malware infections as quickly as possible. Q11: How can I be sure that the websites I visit are safe and trustworthy? It is important to know that SSL/TLS remains the most effective method of secure Web data transmission, and PKI is the best platform for managing SSL certificates at Internet scale. It is equally critical to remain aware of who is behind the security of the website you are doing business with. Are they reputable? Do they have a proven track record for issuance of certificates? Do they have a robust infrastructure in place to prevent these types of attacks? If the answer is no, it is probably not a safe website to use or visit. 6

7 More Information Visit our website To speak with a Product Specialist in the U.S. Call 1 (866) or 1 (650) To speak with a Product Specialist outside the U.S. For specific country offices and contact numbers, please visit our website. About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Symantec World Headquarters 350 Ellis Street Mountain View, CA USA 1 (800) Copyright 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, BindView, Enterprise Security Manager, Sygate, Veritas, Enterprise Vault, NetBackup and LiveState are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. UID:126/7/2012