Following a slew of issues with certificate authorities (CAs) and cyber criminals using stolen digital certificates, Google and Mozilla are set to enforce the Baseline Requirements for how long certificates should be trusted.
The requirements specify that CAs should not issue any certificates with a validity period longer than 60 months.
The Baseline Requirements, a document compiled by the Certification Authority Browser (CA/B) Forum, sets out a long list of requirements for the operation of a certificate authority and issuance of certificates. The CA/B Forum is a voluntary organisation of certification authorities and vendors of Internet browser software and other applications.
Senior software engineer at Google, Ryan Sleevi, said in a Cabforum.org post, that Google has decided to implement additional programmatic checks in Google Chrome and Chromium browser.
He said these changes will take effect beginning 2014, and will "reject as invalid any and all certificates that have been issued after the Baseline Requirements Effective Date of 2012-07-1 and which have a validity period exceeding the specified maximum of 60 months".
Mozilla said it was following suit, and announced it was making the changes in its Bugzilla bug database.
According to Threatpost, times have not been easy for certificate authorities of late, citing the example of the Comodo hack. Comodo, a prominent issuer of secure socket layer (SSL) certificates, erroneously issued nine fraudulent SSL certificates to seven Web domains, including Google.com, Yahoo.com and Skype.com following a security compromise at one of its affiliates.
Another incident saw Dutch digital certificate authority DigiNotar being hacked, resulting in its SSL and EV-SSL CA system being breached. Following the breach, more than 500 rogue DigiNotar digital certificates were created for such high-profile domains as cia.gov, microsoft.com, Microsoft's windowsupdate.com, and mozilla.org, as well as one posing as VeriSign Root CA.
This resulted in DigiNotar's certificates being blackballed by most browser vendors, and the company eventually filing for bankruptcy.
Following an attack on a CA, it is usually up to the browser vendors to step in, and remove trust for compromised certificates to protect their users from dodgy certificates.
Sleevi said although restricting the validity period of certificates isn't a silver bullet, shortening the validity period will curb the practice of continuously reissuing certificates that have already been approved.
Share