Bulletproof TLS Newsletter #45
Visa certificate authority in trouble
27 September 2018
Author: Hanno Böck

This issue was distributed to 47,012 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Visa certificate authority in trouble
  2. Short news

Visa certificate authority in trouble

The credit card company Visa operates a TLS certificate authority that is currently trusted by all major browsers. Visa doesn’t sell certificates to end users; the certificates are used for their own services and by some banks. Lately, questions have arisen about the operations of the Visa CA.

Mozilla’s Wayne Thayer started a discussion about this issue on the Mozilla policy list and created a Wiki page listing issues with the Visa CA. These issues include incomplete security audits that are required according to the Baseline Requirements, multiple violations in which Visa has issued certificates with substandard security (SHA1, 1024-bit RSA keys), and malformed certificates. In many instances, Visa has not revoked the certificates in a timely manner.

No representative from Visa has participated in the discussion on the Mozilla policy list, which is unusual. Certificate authorities are expected to explain how they will solve issues and prevent them from happening in the future if such issues are raised.

Google developer Ryan Sleevi thinks Visa’s inaction should have consequences: “Given the past issues, the recently identified issues (that appear to have been longstanding), and the new issues that Visa's PKI Policy team is actively engaging in, I believe it would be appropriate and necessary to consider removing trust in this CA.”

Visa has not responded to our requests for comments.

Short news