×

Get your FREE copy of "The Ultimate Guide of SSL"

Download Ebook

What is the CA/Browser Forum & Its Role in Internet Security

The CA/Browser Forum Works as a Voluntary Organization of CAs, Browsers & PKI Enabled Applications

Whenever you visit any website, you might have noticed that the security certificate is installed on it. One of the prevalent visible indicators is a padlock in the address bar or the URL starting with the HTTPS://.

Yes, that padlock and HTTPS signifies that the website you’re visiting is secured with an SSL/TLS Certificate, also called as security certificate that gives assurance to users that the site they’re visiting is genuine and safe. For example, any shopping portal or banking website that deals with sensitive information of users on a daily basis. And for that, users are required to trust them, which are achieved by these SSL/TLS certificates.

However, these certificates provided by the Certificate Authorities (CAs) need to be trustworthy, and to decide about that or setting new guidelines that followed by the operating systems, browsers are done by this CA/Browser Forum.

Let’s dig into details and explore this CA/Browser Forum, which is quite unheard of, especially to regular internet users.

cab-browser-forum

What’s the CA/Browser Forum?

The CA/Browser Forum (The Certification Authority Browser Forum) is one type of voluntary organization for Internet browsers, software vendors, PKI-enabled applications, and operating systems. Further, these vendors and browsers promote the guidelines for the issuance and management of digital certificates such as X.509 v.3, which are chained with a trust anchor while being embedded with them.

The guidelines maintained by the CA/Browser Forum covers system & networking security, SSL/TLS Certificate, and Code Signing Certificate. Furthermore, these CAs and Browsers make the majority of this CA/Browser Forum.

Let’s see what roles each of these parties, i.e., CAs & Browsers play when it comes to securing the information on the web.

CAs (Certificate Authorities)

Certificate Authorities such as Comodo, Sectigo, GeoTrust, DigiCert are the one who issues these SSL certificates, and in order to do that, they have to follow specific industry standards. Also, they are responsible for validating information of the certificate and follow other processes like vetting in which they filter the requests of those whose websites are similar to phishing sites.

Also, these CAs are equally responsible for whom they issue these SSL/TLS certificates, and for that, they follow security practices for a safe and secure web. And these security practices (which are regularly updated as per the new information) are mentioned in the Baseline Requirements, which is required to be followed by all the CAs while implementing high-risk checks to make sure that they review requests if it looks suspicious.

Web Browsers

No doubt, browsers come in last when it comes to defending for making web experience safe and secure, and at first, they’re responsible for the easy UI to connect with sites via HTTPS. But again, like CAs, popular web browsers such as Microsoft Edge, Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome, and Opera are involved with this CA/Browser Forum. And, that makes them equally responsible for making web experience safe and secure.

In order to make browsing experience safe and secure, they even actively participate in making changes on a regular basis by updating their browsers, and the past few years are proof that they’re putting their work into it. For example,

  • Showing warning messages such as Not Secure or other SSL Errors.
  • In specific scenarios blocking website to load on the browser, if SSL certificate is not installed.
  • Displaying the name of the company on the click of the padlock in the URL bar (if the website has installed an Extended Validated SSL/TLS Certificate) for differentiating legitimate sites from the imposters.

Here’s How CA’s Work With the CA/Browser Forum for Setting Out Rules & Regulations for Making the Internet Safer

Popular CAs such as DigiCert, Comodo works along with the CA/Browser forum to define new standards and requirements. And two of the areas where these CAs definitely involves with the CA/Browser forum are:
  • Domain Validation Methods
  • SSL/TLS Certificate Validity

Domain Validation Methods

Vetting of any domain for the requested SSL certificate is done based upon specific guidelines set for them. Different SSL certificates, namely, Domain Validated SSL, Organization Validated SSL, and Extended Validated SSL, have a different requirement, and their validation methods are different as well. For example, if anyone requests for EV SSL Certificate, the validation process of EV will be very stringent and separate from the other two.

These set of rules and guidelines for defining validation methods are done together by the CA/Browser Forum and CAs like Comodo and DigiCert.

SSL/TLS Certificate Validity Period

The validity period is one of the crucial things about any digital certificate, as it gives the right balance between the risks involved. For example, more extended validity periods may require less renewal process, but it can involve the security risk. If new vulnerability arises or something gets deprecated, such as SHA-1 or previous SSL versions, then it only worsens the situation by making websites vulnerable to attacks.

And, how much must be the validity period of the SSL/TLS certificate is an old age debate. Earlier before March 2015, it wasn’t new to find that SSL/TLS Certificate was offered for the validity period of 4 and 5 years, and then it was reduced to three years, which was later on reduced to 2 years lifecycle as of March 2018. And even discussion had happened to reduce it further, though it was rejected.

However, all these discussions and implementing the final result are not done solely by the CA/Browser Forum, but CAs decision is also involved with it.

Here’s How the Decision Is Made by the CA’s & the CA/Browser Forum

Discussion among the CA/Browser Forum and CAs is done at least for a week. Then the ballot moves into another one-week voting period, by keeping in mind no further discussion or substantial change is needed. And, the decision is based upon that voting. Furthermore, if there’s any complex topic, then they’re often discussed in the face-to-face meeting that’s held three times in a year, where all the key participants actively discuss the pros and cons and how the change will affect the users.

For example, as per one of the requirement, all the users who require SSL/TLS Certificate must come from the CAs who is trusted by Google Chrome, and also the certificate must be compliant with the Google CT policy.

Summary

So, here you have it. If you have questions regarding what’s the CA/Browser forum, how it’s essential with the security certificates and how CAs work along with them, then all these questions are answered here. By going through this article, you can stay assured that this mysterious CA/Browser Forum won’t be a mystery anymore.

Related Articles:

Disclosure: AboutSSL appreciates your continuous support. It helps us tremendously to keep moving in the competitive SSL industry. Here most of the links which direct you to buy any SSL/TLS related service or products earns us a certain percentage of referral commission. Learn More
Download Site Seal
comodo-trust-seal
SSL Checker