Why Your Certificate Authority Matters


By now you may already know about the Turkish Certification Authority TÜRKTRUST, which has mistakenly issued two Intermediate Certificates for two companies in Turkey.

With these certificates, both a Turkish bank and a state agency were able to issue fraudulent certificates for domains they did not control.

In one case, a Wildcard Certificate for *.google.com was issued without Google’s knowledge. According to TÜRKTRUST, the incident happened during a Software migration in August 2011. According to one of the public statements of the CA, the profiles of the Intermediate Certificates were shifted to a production server. This was the reason for the unnoticed issuance of the Intermediate Certificates.

Google detected the certificate was issued falsely on its domain on December 24. The Intermediate Certificates of Google, Mozilla, and Microsoft became blacklisted after the incident. In addition, Google Chrome’s Browser will no longer acknowledge the status of TÜRKTRUST SSL Certificates with EV (green address bar) .

What caused this incident?

The news and social media that follow this event express similar doubts concerning the CA model to those after the compromise of the infrastructure of Comodo and DigiNotar in 2011. While the critics continue the discussion about the reconsideration of CA models, the actual reason behind TÜRKTRUSTs misbehavior has never emerged.

It’s estimated that the costs for the commissioning a small CA mount up to the considerable sum of 1 million US dollars. The operators of smaller CAs act mostly in all conscience, still the SSL market is a very difficult field with famous international competitors. Certificates must be issued constantly with low costs, great speed, and accurately.

To be competitive in this market, smaller CAs try to maintain their business by means of economizing at the expense of necessary investments in hardware, software, employee trainings, quality management, external audits, infrastructure, etc.

In the case of TÜRKTRUST, there were no (monitoring/early detection) systems that could prevent what happened. Furthermore, TÜRKTRUST has not provided any evidence on the CA/browser forum about the fulfillment of guidelines that came into force in July 2012 and were compulsory for every member. Unfortunately, TÜRKTRUST is not the only CA that fails to fulfill these security requirements. Symantec (incl. SSL brands GeoTrust and Thawte) is the only CA that has publicly announced its correspondence to these guidelines.

In addition, the number of Certification Authorities has drastically increased from a handfull to hundreds of globally operating CAs during the last years. As a result, the strict and industry essential safety pads and “CA/browser forum baseline requirements v.1.0” go often unfulfilled  by more and more CAs. Each CA is responsible for ensuring quality standards. One mistake in the validation process or the issuance of a faulty (sub-root) certificate threatens the trust in the SSL system.

With questions over security, privacy, and business continuity, remember that not all CAs are similarly equipped and built, and equally trustworthy.