Public Key Infrastructure (PKI) is the glue that holds the internet together. As the internet has developed into a multi-faceted ecosystem with every single ‘thing’ now considered an internet-connected endpoint, PKI has also had to develop quickly in order to meet the demands of the market.
Back in the early 2000s, there weren’t many regulations out there. You could say it was the Wild West for PKI. Certificate Authorities (CAs) didn’t have any standards to adhere to. Some were issuing certificates that lasted for 10 years!
As frustrations grew from within the CA community, a group of like-minded individuals, including Steve Roylance and Melih Abdulhayoğlu, came together with similar employees from the browser community to form the CA/Browser Forum. The CA/B Forum, created in 2005, began governing the issuance of Digital Certificates with the aim to standardize the industry and minimize mis-issuance. They did this by creating a number of bylaws and baseline requirements for certificate issuance and management.
The internet has exploded since the early days of the CA/B Forum. We now have fridges and children’s toys using an internet connection. We also have an influx of black hat hackers forming groups that conduct cybercriminal activities, such as cyber-warfare, phishing, and more.
Today, our infrastructure is still coming up against its own challenges but fortunately, there are a wealth of amazing internet security researchers who are working together and helping the CA/B Forum develop ideas to bring forward new bylaws and baseline requirements that will keep PKI in line with current technology.
Here’s what we have to look forward to in the next 12 months.
Services Will Adopt PKI to Comply
Let’s Encrypt and Google have paved the way for ‘HTTPS Everywhere.’ If you can get a free DV SSL Certificate, there really isn’t an excuse for not having one. Over 68 percent of Chrome traffic on both Android and Windows is now using HTTPS. Google now plans to mark all non-HTTPS websites as ‘Not Secure’ by July 2018.
This boost and easy availability has paved the way for industry regulators to force HTTPS in their industries, too. Just a few examples of recent regulations involving the need for PKI (SSL and otherwise) include:
For the first time in history, organizations in all industries, independent of size, are being forced to recognize the need for data security. Data, after all, is the new currency, and protecting it doesn’t just mean protecting consumers and customers; it means protecting a brand’s reputation and a business’ value.
Most companies are in the middle of a huge shift from paper to digital transactions. Some are undergoing full digital transformation programs that see the implementation of processes and technologies to streamline services and automate much of what used to be manual processes.
In all of this hype, regulators have discovered the need to implement policies around the encryption and protection of data as it travels around an organization. PKI is one tool helping organizations comply with those policies.
PKI for the IoT
Let’s use the example of a hospital. Devices are being created today that encompass the “Internet of Medical Things.”
These devices help to save lives by extracting data in real time from patients, allowing practitioners to spot anything happening quickly. Sensors can be attached to patients in a hospital that will alert doctors when vital signs are down. Once a patient is released, a doctor can prescribe medication that has trackers on it, so the doctor knows that the patient has been taking their medication. Even everyday medical devices like pacemakers can be given an IoT upgrade allowing them to send vital information to patients and their doctors that will alert them of a heart attack or stroke.
Manufacturers of IoT devices are becoming educated on the importance of implementing security into their products. The technology is available, but up until now, most consumers would buy IoT products without security in mind. As security-conscious shopping habits start appearing, manufacturers are forced to invest in security to keep their products ahead in the market.
Governments are developing smart cities, smart grids, smart medical devices, and smart cars that will replace our entire infrastructure one day. We need to make sure that every ‘thing’ that talks to another ‘thing’ using the internet can be trusted, or we could end up in a position where people are put at risk because a hacker has compromised a device.
We have too much to lose if IoT ecosystems do not employ encryption, authentication and data integrity.
HTTPS Will Really Be Everywhere
As we already mentioned, Chrome has shown that over 68 percent of their traffic on Android and Windows is now encrypted. This isn’t the same on all browsers, of course. If you think about the exponential growth of encryption, it took 20 years to get 40 percent of the web encrypted, and then in one year after that, it jumped to 50 percent; now in January 2018, we are at around 68 percent. That’s incredible growth!
As Google moves to mark non-HTTPS websites as ‘Not Secure’ in the browser, website owners will have to jump on HTTPS just to keep their visibility in the search engines and browsers. By doing this, Google is educating the masses on cybersecurity and ensuring that people think encryption first. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure.”
In Chrome 66, due to be released April 16, 2018, Chrome will also start distrusting any Symantec certificates issued before June 1, 2016. By the release of Chrome 70, all Symantec SSL certificates issued prior to December 1, 2017, will become untrusted by Google Chrome.
It appears that a large chunk of the web is still using Symantec or its child companies (GeoTrust, Verisign, and RapidSSL) certificates. TechTarget estimates of the top 1 million sites in Alexa, approximately 103,000, are still using Symantec roots. Roughly 11,000 certificates will be removed in the Chrome 66 release and a further 91,000 with Chrome 70.
When this happens, a large portion of the web will appear as ‘Not Secure.’ Even more reason for people to be reminded of the importance of SSL.
Validation Will Evolve
Recently, we heard news from a security researcher that Code Signing Certificates are being sold on the internet using stolen information from legitimately registered companies that likely have no idea their credentials are being used in that way. These certificates have proved to be extremely effective in malware obfuscation.
It’s not uncommon for security researchers to discover a flaw in the system, (I mean, this is what they are there for.) but because several news stories about malicious use of certificates are all coalescing, industry experts are refocusing the next year on analyzing and adjusting current validation methods. The CA/B Forum have announced the Validation Summit that many CAs and Browsers will be attending to discuss potential issues with current validation methods and propose a series of improvements.
I don’t think this will be the last we hear about validation methods this year. CAs should be looking to be as strict as possible with validation (even for DV SSL Certificates), while our security folks should be working on ways to create new and improved methods that will improve the safety of the internet as a whole.
The Race for a Quantum Safe Algorithm
Are we getting close to a quantum computer that will crack current encryption methods? I have read a number of articles that appear to say we are, but of that I’m not so certain. There are others that say quantum computing is further off than we think it is. The truth is, making quantum computing work is difficult. But that isn’t to say that we shouldn’t worry about what effect it will have on encryption. Supercomputers still exist, and there are still applications for quantum safe algorithms out there!
The NSA and NIST are reacting to the public’s fears by putting a call out to cryptographers for a quantum safe algorithm. Will the next algorithm be code-based, lattice-based, or hash-based?
I am under the personal belief that we are a long way away from having to worry about quantum computing beating current computing methods. At this stage, we still aren’t sure what quantum computing will look like, how fast it will be, or how quickly it will break current encryption. So, how do we know what algorithm will beat it?
The main takeaway that I want to impart is that PKI doesn’t die when quantum computing is born. PKI simply evolves. We create new algorithms to beat the processing power in accordance with Moore’s Law, and we’ve still been able to develop algorithms faster than they need to be introduced. Look at SHA-3 – the reason you aren’t seeing widespread use yet is because SHA-2 still works perfectly fine.
About The Author: Doug Beattie is the Vice President of Product Management at GlobalSign. He is responsible for defining, positioning and launching all SSL-related products. Prior to joining GMO GlobalSign, Doug was Principal Systems Engineer at General Dynamics where he was the lead architect responsible for driving and building a smart card management system, issuing over 500K PKI-enabled smart cards for the US government. Prior to joining General Dynamics, Doug was the Director of Product Management at GeoTrust where he led the SSL line of business from their first SSL Certificate sale through the successful acquisition of the business. He has also held positions at CyberTrust Solutions, a PKI and e-Security firm, Securant Technologies, an access and privilege management product, and GTE Government Systems Corporation.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.