“If there’s compute power enough to hold a cert on them, they should have a cert on”
DigiCert CEO John Merrill was once introduced at a convention as the CEO of the company that saved the internet. It’s a characterisation he downplays as “a bit of a stretch”, but he certainly hopes that the company he runs will be remembered for restoring trust to the web.
Digital certificates giant DigiCert secures a massive 26 billion web connections daily, with customers including Paypal and Verizon; it also boasts a string of industry firsts, including being the first such company to launch an independent Certificate Transparency Log Server, the first to offer TLS for the Tor browser, and more.
The incident that won him the messianic plaudit, however, goes back to 2017, when Google issued a warning that its Chrome browser was going to distrust SSL certificates from DigiCert’s industry rival Symantec, which Merrill describes as having “fallen off the treadmill” when it came to Certificates Authority industry engagement.
(Such certificates are instrumental to an internet in which people feel secure that they can trust who they are connecting to. They are, essentially, cryptographic keys used to authenticate a company’s online identity and allow secure connections from a web server to a browser; without them the padlock in your browser is just decoration.)
Speaking in Computer Business Review’s UK offices, the DigiCert CEO says the threatened loss of trust could have been a “catastrophic event” for the internet.
He doesn’t know what percentage of financial transactions used Symantec certificates at the time, but it was high: “Right now we’re probably north of 90 percent. So almost every bank and I think 100 percent of EU banks used Symantec.”
Imagine if suddenly banks and e-commerce sites could no longer authenticate themselves to a browser; how would anyone know what sites are safe to submit credit card details to, or be reassured that any data they sent was going to be encrypted?
The results would be dire: “Commerce and financial transactions on the Internet would have ground to a halt,” Merrill notes.
DigiCert CEO: We Landed a Hellacious Project
Symantec’s issues had started with a January 2017 public posting by Google’s engineers to the mozilla.dev.security.policy newsgroup, highlighting “questionable” website authentication certificates provided by Symantec Corporation’s public key infrastructure (PKI) arm, saying millions were non-compliant with industry CA/Browser Forum Baseline Requirements.
Symantec reacted with fury at the time, initially pushing back at the claims, before ultimate deciding it was fighting a losing battle. The company ultimately washed its hands of the problem and opted to sell its Public Key Infrastructure business to DigiCert for $950 million in August 2017.
“We had a good reputation, we had some strong people and some good tech. They decided just to sell that portion of their business to us,” comments Merrill.
In return for that $950 million, as the DigiCert CEO puts it, “we got handed a hellacious project… We conducted a biopsy and essentially replaced those certificates for free. It was a great opportunity for us, but it was a big mountain to climb in the sense that Symantec were given until December 2017 to stop issuing certificates.”
“We acquired them November 1 2017, with 30 days to change all of their systems and point them to ours. That was probably a six to 12 month project. We did it in one month.”
“The first set of Symantec certificates were going to be distrusted in March of 2018 and then by October of 2018, or one year later, all Symantec certificates across the globe were distrusted which were over five million and in every geographic location. So we spent a year essentially changing systems and replacing millions of certificates.”
“It was a great opportunity as a company, but we earned it.”
“I’m not sure it got the attention it should have; which I’m grateful for that as well, because people would have been really nervous about the outcome!”
Changing Standards and The EU
The CEO is keen to look forward though. The industry is a “treadmill business” he notes; if you are not evolving or running forward you are going to tumble fast; and adapting to local or regional regulations is among the challenges.
Countries, or trading blocs like the EU, for example, can decide to come up with their own certificate protocols, which is exactly what the EU did when it created eIDAS; the EU’s regulations on trust services with regards to electronic transactions, which became effective in mid-2016 and triggered a series of associated regulatory shifts.
Along with the second Payment Services Directive (PSD2) it has thrown up fresh challenges (local content rules and data centre requirements) and also opportunities in the CA world, inspiring one recent major DigiCert acquisition.
eIDAS and Quo Vadis
DigiCert’s acquisition of the Quo Vadis Group from the Swiss cybersecurity enterprise WISeKeyclosed on January 17 this year.
It was driven in part by the demands of eIDAS for a European presence – as well as opportunities afforded by PSD2.
This, beginning June 2019, requires banking and financial services companies doing business in the EU to use “Qualified” website certificates for stronger identity assurance. QuoVadis’ European presence provides that qualification, and DigiCert says the deal aligns with its “vision of providing the world’s most globally dispersed and robust PKI-based solutions with local support.”
DigiCert, meanwhile, is also helping QuoVadis migrate PKI services to datacenters in the Netherlands and Switzerland to provide customers with enhanced privacy and data protection services.
As Merrill puts it: “We’re not a company that makes money off of data. We’re a company that makes money because we enable trust. So we don’t want to fight against those that are pushing privacy and trust; we want to enable them.”
Certificates: How Much of a Future?
When it comes to enabling trust, the certificates industry has had a tough run, with legitimate certificates widely available on the dark web, or being obtained unlawfully then used to help facilitate supply chain exploits. Is the industry increasingly a redundant one, as some are beginning to argue?
Merrill says digital certificates will always be needed: “Trusted authentication through the use of digital certificates is a time-proven method that will continue to provide robust encryption and identity as more and more systems and devices connect to the Internet… ”
“[as companies digitise] it becomes critically important to establish policies and procedures for properly managing certificates to avoid expiration, as well as protecting their keys. Companies must be sure that the software they distribute is signed by a highly trusted party, preferably using their own keys, and that they do not blindly distribute software that is signed by obscure third parties.”
The proliferation of IoT devices is, in fact, making this more important, he argues.
“You know as long as there’s compute power enough to be able to hold a cert on them [IoT] devices, they should have a cert on; and a lot do that would surprise you.”
“We put certs on drones and pacemakers and things like that; key material to be small enough that in terms of the size of the key that you can put it on lots of devices.”
Our time’s nearly up, but there’s plenty more to discuss, not least future-proofing certificates against quantum brute-forcing of encryption.
“We’ve been working with Microsoft and several other companies to create quantum computer-resistant algorithms; in the United States, the National Institute of Standards is having a bake off for quantum computing algorithms. Microsoft’s is there… so we’ve actually pulled a couple of those [applications] and we’ve we’ve created quantum resistant certificates already; extrapolating a certain level of cubit quantum computer –which could hack an RSA algorithm very quickly.”
He adds: “This requires some increase in computer power to be able to make those efficient… So it’s a treadmill we’re always trying to stay on. But for banks, who are investing in infrastructure they want to have in place in 10 years, the quantum security risk among their biggest concerns. We’re doing this now so people can test how it works on their existing processes; for a lot of people it’s like turning a tractor.”
The CEO is on a roll, talking with genuine enthusiasm about the work DigiCert Labs’ R&D team is working on, including the ability to embed QR codes in pictures to tackle the issue of doctored images in a “fake news” environment (“you can’t see as you look at it but a computer can see it and you can determine if something’s been altered”) and “signed exchange certificates” to authenticate the credibility of news stories with Google, but comments are beginning to be regularly peppered with “this is off the record”, the PR is faintly restless and our time is, sadly up.