CTO unveils the inner workings of the Certificate Authorities and his plans to shape their future
Today, during the RSA Conference 2013, I had the opportunity to meet with the GlobalSign CTO, Ryan Hurst. Through GlobalSign, he will make waves across the industry in a leadership role to improve speed, performance and automation in the field of Certificate Authority (CA). What could have been a boring discussion of a least-covered-no-one-gets-excited area of INFOSEC became one of my most invigorating dialogs of the show, so far. Ryan, by the way, has a side project called http://revocation-report.x509labs.com which allows you to compare the revocation checking speed of the leading CAs. This might not sound like a big deal – but it is – really big. Don’t you hate when your browser seems to slow and you blame it on your internal LAN or the router or the ISP? What if you could see which SSL connections you are making based on their performance? Here’s an example – you go to some https:// retailsite#1.com and the initiation of the SSL connection takes 159ms but your other favorite site, https:// retailsite#2.com takes only 32ms to initiate the SSL connection – you probably think the 2nd site has a better server, spent more money on their e-commerce infrastructure, etc.
The reality is that some Cert Authorities are actually MUCH better than others – like GlobalSign. But how could you tell? Before this little project at x509labs.com you couldn’t. Now you can! It’s fantastic. You can call up retailsite#1.com and say “hey I noticed you’re buying your SSL certs from Vendor A…well they can’t answer a session initiation request fast enough and it’s making you guys look slow, so I shop somewhere else now, where they use certs from Vendor B.” I think this is powerful information in the hands of the consumer. So now that I’m convinced Ryan Hurst is at that mad scientist genius level, we get into a real discussion about his day job and passion at improving the CA marketplace for the better. Ryan tells me that the big fix to the CA world will be Certification Automation. Everytime an IT administrator has to update a CERT or heaven forbid he gets replaced on the job, this becomes a major concern for banking, retail, healthcare and other vertical market players. Wouldn’t it be better to take the human risk and error out of the equation? How about automated updates of your certificates by having the CAs product actually become a member of your admin domain, within your organization? How cool is that?
By the way, here are some links Ryan Hurst provided me to pass on to you – when you get the time, check them out:
- http://www.webpagetest.org/ – Run a free performance test for your website
- https://sslcheck.globalsign.com – Check your SSL coonfiguration
- https://insouciant.org/tech/ssl-performance-case-study/ – Optimizing SSL performance
- http://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30 – OCSP Stapling
As GlobalSign will continue to lead the pack and reshape a better future for Certificate Authorities, this should lead to better, faster, safer e-Commerce transactions, privileged online document access and so much more. You might even find Facebook, Twitter and others, becoming safer places. Keep an eye on GlobalSign as they have a visionary CTO who has the ideas and the authority to carve a new and brighter future for this most critical area of information security. Remember – encryption is ‘key’ and the CA is the underpinning for all of our transactions.
Gary S. Miliefsky, CISSP®
(Sources: CDM and GlobalSign)