Digital Certificates (“certificates”) are critical to Internet security. Certificates are electronic files that make it possible for information to be transferred privately over the Internet. Such information may include personal identifying information, individually identifiable health information, proprietary information, and confidential information. Certificates provide peace of mind to Internet users by verifying the identity of the destination to which a user is sending sensitive or confidential information.
Certificates are issued by Certificate Authorities (“CA”s), or by trusted intermediaries of CAs. As used herein, a CA may also include an intermediary of a CA. An intermediary CA of a root CA is trusted and operated by the root CA, and issues certificates on behalf of the root CA. A CA issues a certificate, encrypted with the CA's private key, to a requesting website operator after the CA has taken measures to verify the identity of the website operator. The thoroughness of this verification varies widely across different CAs.
A website operator may request and obtain certificates from multiple CAs for purposes of redundancy and also because not all browsers trust all CAs. A website operator is motivated to use only trustworthy CAs to promote the widespread usage by browsers of these trustworthy CAs.
When an Internet user visits the website, the website presents its certificates to the user to verify its identity to the visiting Internet user. When presented with a certificate, an Internet user, generally through a browser such as Internet Explorer, Chrome, or Firefox, consults its list of trusted CAs. If this list of trusted CAs includes the CA that issued the certificate, then the Internet user will decrypt the certificate with the CA's public key, and will generally believe the information in the certificate, i.e., the Internet user will believe that the website is operated by the entity identified in the certificate.
Browsers frequently maintain lists of CAs that it trusts and CAs that it does not trust. These lists may range from very few CAs to numerous CAs, for both the trusted and untrusted CAs. Accurately distinguishing trusted from untrusted CAs is of utmost importance; if even one of the browser's trusted CAs provides a bad certificate, a security compromise has occurred. This compromise may result in an Internet user providing sensitive information to a malicious entity, or other undesirable consequences. Browsers generally apply a binary classification system to CAs: “trusted” or “untrusted,” and all “trusted” CAs are equally trusted, i.e., the browser does not trust any “trusted” CA more than any other “trusted” CA.
This binary classification system does not reflect the real world—in which the trustworthiness of a CA varies continuously on a spectrum ranging from completely untrustworthy to completely trustworthy, and all levels of trust in between. While some CAs have stringent requirements for issuing a certificate, other CAs have practices that can result in poorly-secured certificates. For example, some CAs may do nothing more than make a quick phone call or do a quick Internet check to verify the identity of a domain owner, while other CAs may investigate the alleged physical location of the entity owning the CA, or send/receive mail to the location, or verify identity through third party systems or resources. As mentioned above, reliance on a CA that issues poorly-secured certificates is a dangerous security risk for Internet user, and may result in an Internet user disclosing sensitive information to a phishing website masquerading as a reputable entity. For example, an untrustworthy CA may issue a certificate indicating that the domain www.anazon.com (“anazon” instead of “amazon”) is operated by Amazon, when in reality anazon is operated by thieves attempting to obtain a user's credit card information.
It would be beneficial to Internet users, browsers, internetworking agents, website administrators, server operators—or any other party which may be vulnerable to or otherwise have an interest in security compromises resulting from untrustworthy CAs—to employ a method and system for assigning scores to CAs and ranking CAs in a manner that reflects the varying levels of trustworthiness, instead of concluding that every CA is either “trusted” or “untrusted.” Using a ranking system, a browser or other entity, as identified above, could increase security by relying more heavily the most trustworthy CAs, and turning to less trustworthy—although still worthy of some trust—CAs only when necessary. In some cases, even though two CAs may both be worthy of some trust, one may be worthy of more trust than the other, as in the case where one of the CAs has been previously compromised, or may have previously mis-issued certificates, or issued certificates for phishing websites, or manifested other signs of untrustworthiness. In some circumstances, a browser or other entity may continue to trust a CA simply because it is a big CA, and a widely accepted and trusted CA, without any analysis as whether the CA is worthy of trust. What is needed is a system and method for granularly assigning security scores and ranking CAs, and for using this scoring and ranking system to increase security.