What is the CA/Browser Forum & Its Role in Internet Security
The CA/Browser Forum Works as a Voluntary Organization of CAs, Browsers & PKI Enabled Applications
Yes, that padlock and HTTPS signifies that the website you’re visiting is secured with an SSL/TLS Certificate, also called as security certificate that gives assurance to users that the site they’re visiting is genuine and safe. For example, any shopping portal or banking website that deals with sensitive information of users on a daily basis. And for that, users are required to trust them, which are achieved by these SSL/TLS certificates.
However, these certificates provided by the Certificate Authorities (CAs) need to be trustworthy, and to decide about that or setting new guidelines that followed by the operating systems, browsers are done by this CA/Browser Forum.
Let’s dig into details and explore this CA/Browser Forum, which is quite unheard of, especially to regular internet users.
What’s the CA/Browser Forum?
The guidelines maintained by the CA/Browser Forum covers system & networking security, SSL/TLS Certificate, and Code Signing Certificate. Furthermore, these CAs and Browsers make the majority of this CA/Browser Forum.
Let’s see what roles each of these parties, i.e., CAs & Browsers play when it comes to securing the information on the web.
CAs (Certificate Authorities)
Also, these CAs are equally responsible for whom they issue these SSL/TLS certificates, and for that, they follow security practices for a safe and secure web. And these security practices (which are regularly updated as per the new information) are mentioned in the Baseline Requirements, which is required to be followed by all the CAs while implementing high-risk checks to make sure that they review requests if it looks suspicious.
In order to make browsing experience safe and secure, they even actively participate in making changes on a regular basis by updating their browsers, and the past few years are proof that they’re putting their work into it. For example,
- Showing warning messages such as Not Secure or other SSL Errors.
- In specific scenarios blocking website to load on the browser, if SSL certificate is not installed.
- Displaying the name of the company on the click of the padlock in the URL bar (if the website has installed an Extended Validated SSL/TLS Certificate) for differentiating legitimate sites from the imposters.
Here’s How CA’s Work With the CA/Browser Forum for Setting Out Rules & Regulations for Making the Internet Safer
- Domain Validation Methods
- SSL/TLS Certificate Validity
Domain Validation Methods
These set of rules and guidelines for defining validation methods are done together by the CA/Browser Forum and CAs like Comodo and DigiCert.
SSL/TLS Certificate Validity Period
And, how much must be the validity period of the SSL/TLS certificate is an old age debate. Earlier before March 2015, it wasn’t new to find that SSL/TLS Certificate was offered for the validity period of 4 and 5 years, and then it was reduced to three years, which was later on reduced to 2 years lifecycle as of March 2018. And even discussion had happened to reduce it further, though it was rejected.
However, all these discussions and implementing the final result are not done solely by the CA/Browser Forum, but CAs decision is also involved with it.
Here’s How the Decision Is Made by the CA’s & the CA/Browser Forum
For example, as per one of the requirement, all the users who require SSL/TLS Certificate must come from the CAs who is trusted by Google Chrome, and also the certificate must be compliant with the Google CT policy.