This time around it was an Indian Government Agency, NIC, that was in control of the issuing CA. Part of the process did work here in that the Indian Government's Auditing reacted fairly quickly to the issue and revoked the Issuing CA and for now has no plans to put that CA back online. That being said the work that Google and Yahoo will have to do to ensure that vulnerable browsers and Operating Systems take the correct action to mitigate the risk is not insignificant. On top of that we do also have the case that we are not sure that Google and Yahoo were the only ones affected ... at least not yet.
The timing of this for me is quite interesting as I am currently working with a client who is looking at options for certificate based authentication, both privately rooted and publicly rooted. They will use a hosted service but I was very insistent that they make sure to implement smart card based authentication for all administrators and then to ensure to implement practices and policies of log reviews to ensure that the known administrators are adhering to policy.
Sounds simple doesn't it? Implement a stronger means of authentication for RAs and LRAs and then review the issuance logs, which can be done automatically. So given this why are people not doing this? Yes some are but there are still many issuing CAs out there that allow RAs and LRAs to login with userid/password.
If you are a corporate or organizational Security Officer I encourage you to do a couple of things:
- If you operate a CA or operate an RA/LRA for a hosted or public CA service then implement strong authentication for the credentials used in the issuance process. If your CA vendor does not support that ... CHANGE VENDORS
- If you operate RAs or LRAs ensure that you run checks on a regular (preferably daily) basis to ensure your RA/LRA personnel are not compromised. This could be fully automated through scanning of logs
- If you have not gone through the Trusted Root stores that are used within your environment you should have that task looked into and clean the roots that you do not use.
Again these are not difficult things but my experience tells me that these things are not being completed across the board. If you want to stay off the front page of technical blogs and magazines I would suggest that taking some of the points above and start to implement them.
Again - history is a wonderful teacher .... but you need to understand history and how that history affects what you do
