Secure Socket Layer (SSL) technology has been and is still at the heart of secure web communication for just about as long as there has been a commercial internet. Based on algorithms developed by RSA, SSL certificates are available from more than several certificate authorities. Verisign built an Internet powerhouse on the basis of its SSL business. Consumers have grown up knowing that when they see that closed lock in their browser they can be confident that their communication is secure.
Lately, though, the fact that the lock was there has not always meant all was well. There have been incidents of forged certificates, hacking into Certificate Authorities, and the planned phase out of the 1024-bit RSA certificates. The fear is that with the pure computational power available today, the venerable 1024-bit certs could be brute forced. NIST has mandated the move to a new 2048-bit RSA standard.
Some are questioning whether the new 2048 certs are strong enough. But a bigger issue is the larger the bits of encryption, the more time and cycles it takes to use on both servers and in browsers. Moving up to 2048 bits is going to make an impact on speed and resources. Worse, if we have to move to 3072 bits, the load on servers and browsers is even worse. As you go up the ladder in bits, the load becomes increasingly more heavy.
Yes, the good old SSL is a little bit long in the tooth. Seems like a good refresh might be in order. The good news is that a refresh is coming, too. In addition to upgrading to the 2048-bit RSA standard, we now have two new standards for SSL. One is the DSA standard developed by the NSA. It uses a different algorithm then the RSA certificate, but in terms of size, the new NIST standard would require a 2048-bit certificate.
Another option is the Elliptic Curve Cryptography (ECC) algorithm. At only 256 bits, it is much smaller and therefore easier on the resources of both servers and endpoints. You can read a lot about it and about Symantec's new SSL certificates coming out that support it in a good article by Ellen Messmer here. The chart below shows some of the advantages of ECC.
By the way, those new Symantec certs support all three algorithms. Other certificate authorities are offering some "hybrid" ECC support. Symantec, as the owner of the Verisign business, is way out in front there, though. It has already ceded the ECC root in most of the major browsers, and most web servers have support for it as well. The question will be how quickly the ECC standard is adopted by other authorities and users of SSL certificates. But it would seem the advantages of ECC lead to its inevitable adoption.
But there is more news on the SSL front as well. The major certificate authorities have formed a new industry association to bring some leadership to the SSL certificate industry. Not a standards body, the new CA Security Council, according to this article on Dark Reading, "plans to serve as a research, security advocacy, and education organization for the SSL CA world, its founders say. It plans to support the work of the CA/Browser Forum and other standards bodies, and to help develop enhancements to SSL and the security and operation of the CA process."
By the way, there is a great FAQ on SSL over at the CASC site. If you are not up on SSL technology, have sort of just gone with the flow and want an easy to understand explanation, it is a good place to start.
In the meantime, that wily old padlock looks like it is getting another chance. With new technology and Certificate Authorities working together, we can probably all sleep easier.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.