Since the introduction of SSL by Netscape in 1994, digital certificates have grown along with the entire Web. Through trials and errors, innovations, and adjustments, the SSL certificates have been constantly refined to meet the most rigorous security needs.
The reduction of SSL validity to just one year and the removal of the green address bar from Extended Validation certs are just some of the recent modifications the CA/Browser Forum has implemented to stay ahead of the cyber threats and make digital encryption more predictable. In the world of Certificate Authorities, change is the only constant.
The Organizational Unit (OU) field is not something you’d directly associate with SSL security, especially since it’s been part of the SSL ordering process from the very beginning. But now, the OU field’s time is coming to an end, and the CAs will remove it by the end of August 2022. So, what’s the reason behind the removal of a seemingly benign field? To get the full picture, let’s find out what the OU field’s initial purpose was.
The Organizational Unit fields – a brief overview
Every time you order an SSL certificate, you must generate a Certificate Signing Request (CSR) and fill in the fields with your contact data as part of the validation process. The CSR includes details about your company, country of residence, and the domain name you want to secure. Among the fields you have to complete is also the Organizational Unit field. You can enter virtually any data you want in it, and that’s precisely what makes it vague and misleading.
The OU field’s original intent was to act as a placeholder field where companies could place relevant data about the certificate and how it was meant to be used. A common practice is to include reference data for billing so that the finance department knows who bought the certificate.
If you were to follow this example, you’d write something like “IT” or “Security” in the OU field. But nothing stops you from entering anything you want, from country names to cartoon characters. If your company is headquartered in the US, but an international branch manages the certificates, you could write something like “France” or “overseas.” And here’s where the ambiguity of the OU filed may confuse users.
Let’s say that one of your company’s clients is Delta Air Lines. If you were to include it in the OU field, some users would think that the certificate belongs to Delta Air Lines instead of your organization. And while this may seem an extreme example, the optional nature of the OU field makes it prone to confusion and misinterpretation – things unacceptable in modern cybersecurity.
Potential security loopholes
SSL certificates are now a requirement for all types of websites. Companies deploy hundreds of certs to meet their security needs, but not everyone follows the best SSL management practices. According to a Detectify Labs report, there are dangers to the deployment of these certificates that “can lead to company data being exposed or compromised by malicious actors.”
Detectify has analyzed over 900 million SSL certificates and emphasized the major risks associated with SSL. In the context of the OU field, the following conclusion is relevant:
“The analysts found that an overwhelming majority of newly certified domains had been given descriptive names. This may sound harmless but can actually be a business information risk.”
If the certificate is issued at a development stage, competitors might have enough time to undermine new companies or products before they reach the market. But even if you chose random strings over descriptive products, a random bit of information in the OU field submitted during the ordering process could potentially give away some of your secrets.
Time to say goodbye
With cyber threats increasing by the day, CAs are working overtime to fine-tune and strengthen the security protocols governing the SSL certificates. As old concepts and elements become obsolete, the “less is more approach” is an efficient way to eliminate confusion and potential loopholes for hackers to exploit.
Back in the late nineties and early noughties, only a handful of CAs were on the market, and the number of companies requesting SSL was significantly smaller. The original intent was the few existing CAs would be manually checked by browsers, resulting in enhanced confidence that the CAs were doing everything as securely as possible. But with the rise of SSL certificates, this task has become increasingly difficult.
The issue with the OU field is that certificate authorities must verify and assert the identity of the certificate subject within the subject name of the certificate. The OU field, on the other hand, is not an accurate description, although it’s a smaller part of the organization. The CAs have no methods to consistently verify the smaller part of the organization and assert its identity.
Life After the OU field removal
So, how will the OU field removal affect companies? Here’s all you need to know about the upcoming change:
- To comply with industry standards, certificate authorities will remove the Organizational Unit (OU) field for all public SSL certificates by the end of August 2022.
- This change will not affect previously issued certificates with a valid OU field.
- This does not affect private SSL certificates or other types of non-SSL certificates.
Web technology is evolving at a blistering pace, and along with it, cyber threats are becoming more sophisticated. When it comes to web encryption, the regulatory bodies must be proactive and anticipate the vulnerabilities within the systems they regulate.
The Organizational Unit field is not a critical part of the overall SSL ordering process, and as such, becomes a potential threat. Removing it is a straightforward way to avoid confusion and improve validation time.