Those working in the trenches of TLS/SSL technology have first-hand experience with the rapid-fire pace of policy changes meant to create a more secure internet and protect user data. What was once a set-it-and-forget technology, TLS/SSL now involves more touch points to manage the new requirements.
Some of those requirements impact all domain owners worldwide while others are industry or region specific. According to the recently published Frost & Sullivan TLS/SSL Market Report, "Some of the changes taking place among web browsers as they remove identity information from users are seemingly at odds with government mandates worldwide. Where some governments worldwide are mandating for more identity at a time when the CA/B Forum is forging a path toward anonymity." It appears that all authorities with the ability to regulate TLS/SSL certificates and the certification authorities (CA) who issue them have the same ultimate goal -- to provide greater security – but their conclusions about how to get there can be at cross-purposes.
So, where does this leave businesses who need this technology to secure web communications?
The industry standard group CA/B Forum, is responsible for establishing the Baseline Requirements for certificate issuance that all CAs must abide by, and changes made by the group impact all domain owners worldwide. One update to the Baseline Requirements made in 2019 involved new methods for validating domain names. Businesses verified using once acceptable domain verification methods had to go through a different verification process again for active certificates within a tight timeframe to avoid browser trust issues that could create a website outage.
Today, Entrust Datacard is preparing customers for a move to reduced certificate lifetimes under Apple Safari root program changes, which takes effect on September 1, 2020 for new certificates. Shorter certificate lifetimes greatly affect the amount of time IT administrators will need to spend managing their TLS/SSL certificate inventory, causing some distress among enterprises. The Road to 398 -- or shorter certificate lifetimes -- is challenging for organizations who manage a large certificate inventory. These organizations need the help of a reliable CA, like Entrust Datacard, to support new reduced certificate validity periods.
Regulations specific to geographical regions are also cropping up across the globe and driving a need for more identity and greater transparency in some countries. GDPR - the General Data Protection Regulation – legislation based in the European Union (EU) has instituted one of the strictest requirements for any organization in possession of personal data of its citizens and residents. The GDPR is an interesting example because the law covers both data protection and privacy, and puts control over personal data in the hands of each individual. This diverges with countries like the United States where organizations collecting personal data retain control over that information. And the GDPR is serious about compliance. Organizations who don't comply face fines of up to 20 million euros or 4 percent of their total annual turnover, whichever is higher.
A separate regulation impacting the EU, PSD2, the Revised Payment Services Directive also emphasizes transparency. PSD2 requires financial institutions in the EU to secure data transmitted from the web with a PSD2 Qualified Website Authentication Certificate. PSD2 QWACs require stringent identity checking and enterprise authentication by national authorities that goes above the already rigorous verification procedures provided in EV (extended validation) web server certificates. Learn more.
While new industry and region-specific requirements are emerging globally that seem to emphasize a need for more transparency and greater identity confirmation to avoid stiff fines, many of the major browsers have moved in the opposite direction and modified how identity is displayed to users. As indicated in a previous blog, "It's interesting that browsers are starting to obscure identity indicators at a time when the trend toward identity transparency is increasing." While browsers are looking for ways to provide more security for users, these modifications provide them with less transparency and potentially greater risk to users.
Where once identity was coupled with security – the prominent EV identity UI at the top left of a website's URL – there seems to be a decoupling taking place at the browser level. The problem with this is that technically-savvy bad actors can create fraudulent look-a-like sites used for phishing attacks. These sites show the same security indicator as authentic ones, but lack the identity checking. Many users are unaware of where to find identity information in a browser and miss the step of ensuring that they are at their intended website.
If users can't tell the difference between real and fake websites, what can happen is that their personal information is securely transmitted (that's good) but to a bad actor (that's bad). All users have now is a URL to identify whether or not they are at the real website. But Google research suggests that, "Many users do not look at the URL even when primed to try to identify fraudulent sites." At the same time, research has shown that there has been very little phishing incidence related to identity-based TLS/SSL EV certificates since first being introduced in 2008 versus the high degree of incidence that occurs today with certificates lacking identity verification.
What role does website identity play during this pivotal time in the industry's history?
The rules surrounding authenticating the entity behind a transaction are varied and confusing. The Frost & Sullivan report sums it up nicely, "When you connect the dots presented in the research analysis, it's clear that there is a concerted need in the TLS/SSL industry for procedures and Best Practices that work for public and private sector businesses, government entities, and not-for-profit organizations as well as the people who rely on the underlying technology for protection. *** Regulatory changes in the browser root programs and across regions and industries that are ultimately meant to create a safer public IT ecosystem are taking effect at a historically rapid pace, forcing companies to scramble to keep up. Organizations (particularly large multinational businesses) are even more dependent on their CA to help them keep up. Some of the changes taking place among web browsers as they remove identity information from users are seemingly at odds with governments worldwide that are mandating for more identity at a time when the CA/Browser Forum is forging a path toward anonymity." In this climate, it's more important than ever for businesses to have a CA they can rely on to help them navigate through the complexity.