The Certificate Authority Security Council(CASC) aims to advance the state of Internet security and act as an advocacy and standards building group for the SSL industry. The CASC’s initial membership consists of the largest CAs in the world, including GoDaddy, Symantec, Trend Micro, Comodo, DigiCert and Entrust.
“The reason for creating the Security Council is that there have been increased security threats against CAs from at least 2011,” said Kirk Hall, operations director, Trust Services at Trend Micro.
According to Hall, the first public report of a wrongly-issued SSL certificate by a CA was in 2001. Over the last 12 years, Hall argued that CAs have done a stellar job of maintaining trust and security.
Noting that there are some 2 million trusted certificates issued every year by all CAs worldwide, Hall said. “We estimate that since 2001, there have been approximately 1,000 wrongly-issued certificates.”
Of those wrongly-issued SSL certificates, half are directly attributable to DigiNotar, the disgraced CA that was hacked by attackers. Hall characterizes the other half as simply “mistakes” where no system or infrastructure level hacks occurred.
Doing the math, Hall estimates that since 2001 approximately 91 bad SSL certificates have been issued each year. That provides an accuracy rate of approximately 99.995 percent since 2001.