One topic that comes up fairly frequently in various places is security within CAs and, in this regard, there were two new incidents in January this year. The incidents have been discussed fairly broadly already, so I won't provide the details again.
The certificate system is periodically threatened when certificates are issued by CAs where the website owner hasn't asked for it to happen nor have they been informed of the issuance of 'their' certificate. This means that, for a period of time, a phishing website could pretend to be the real website and also accept HTTPS connections from end-users. In turn, that means the rogue site could gather secure information from end-users, including logon credentials, credit card numbers, birthdates and so on. There's lots of information there that can be used in later attacks, where the end-user could be impersonated on the real website and (potentially) on other sites as well.
Certificate Transparency (CT) was put in place to help detect such certificate misissuance, so for misissuance to have occurred again, in 2017, is something of a surprise. In fact, the CA that did it was already on 'strike 1', as you might say, if using a baseball term. However, through CT logs working as they should, the same CA was detected again and is now, arguably, at 'strike 2' ! Draw your own conclusions on why that happened and whether it will happen again ...
However, consequent to this, there has been a further response from the CA/Browser forum. An initiative called CAA, which was initially launched in 2013, will now become mandatory in Sept 2017. This effectively blocks the majority of CAs from misissuing certificates in the way that happened in January.
Website owners will be able to create a whitelist of CAs who are allowed to issue certificates for their sites. If the number of whitelisted CAs drops from (say) 600 to just 3 (per website) then that represents a great solution. Compared to the previous situation, the 'bullet' will now hit the target with 99.5% accuracy. (And arguably, it will be 100%, in practice). Each website will have theor own preferred CAs.
CT is a very effective tool in detecting misissued certificates but it requires an individual to do the actuak research in the CT logs. So, CAA goes further and it could be a very good solution.
There could be other consequences too. Imagine that a whole group of sensitive website owners fail to add a particular untrusted CA to their whitelist. That CA is then pressurised to either to become trustworthy (and convince people that they are ! ) or sign their own death warrant. It's not overly harsh - CAs need to be trustworthy.
CAA has the potential to form part of a really powerful system, so full credit to CAs for voting this through. The same goes almost without saying for the browser suppliers. This change appears to be a really good improvement for internet security !
A link for some further detail :
The Domain Name lookup system forms part of the CAA solution and DNS is not secure, which is why I used the word 'potential' earlier. However, mandating CAA now creates another reason why DNSSEC should be rolled out, and thereby support CAA securely.
(CAA is the acronym for Certificate Authority Authorisation. It limits the authority of CAs and is one of the initiatives that derived from CAs' efforts to regulate themselves, through their 'Baseline Requirements'.)