Site operators need to be more aware of which CAs they're using
How? I've got no way to judge the security / responsibility of any CA. The amount of money that they charge may have no relation to their behaviour. I don't think anyone has claimed that the CAs who issued wrong certs were charging less than their competitors. You can't blame the CA customers for this.
One sign is that if Symantec has issued rogue certificates, and Google publishes the problem, then it's time to leave.
Of course, the CA would then be incentivized to publish their procedures and show how they intend to fix the breach, which shouldn't have happened in the first place, to regain customer's trust. Or go bankrupt. Let me tell you they wouldn't let their employees do mistakes.
Customers who stay, in the situation that it is discovered that Symantec issues another rogue cert, which causes Mozilla to completely revoke Symantec, can later sue Symantec for harming their business by not applying their public procedures. And here's how the economy gets rid of bad actors. The rule is much tougher for cloud machine providers (EC2 and DO): Should they lose one customers' data, everyone would leave them and go bankrupt, that's why they don't.
In parallel, losing a CA doesn't harm the customers very much, even for amazon.com. They can buy a new certificate in a matter of hours. bzbarsky even says it's commonplace to have the certificates signed by 2 CAs.
Absolutely agree. Pulling the rug is a powerful incentive both for the customers and the CAs. Customers will have to consider the likelihood the CA will be revoked due to poor security practices, CAs will have to show that they're not rubbish.
That's a chicken-and-egg problem, but it would be solved when there's suddenly a lot of site operators with a vested interest in knowing which CAs are likely to fail and which aren't. Right now there's not a ton of interest. CAs are basically selling a fungible, commodity product, so you just buy from the cheapest ones. Searching for "best SSL certificates" thus gets you a lot of articles reviewing CAs, but largely on the basis of stuff like price and ease of issuance. Because that's what people care about.
There would be a slew of reviews of CAs, judging their perceived odds of vanishing in a puff of paperwork, if there was an interest in issuer stability. CAs themselves could probably offer value-added features like guarantees backed by outside parties (i.e. an insurance product) that would pay costs associated with certificate reissuance in the event of malfeasance or incompetence on the part of the CA.
The market would provide, but there has to be demand. Right now there's no demand, because the consequences of getting a cert from a crap issuer has, historically, been approximately zero.
Very often, marketing material and the language used for for that is a good indicator on whether a particular service knows their stuff, or if they appear to peddle fluff... :)
How CAs respond to issues on these mailing lists and in bugzilla is also pretty telling.
In this particular case, there's been concerns raised for several days. An extra vigilant web site operator who sees these discussions might perhaps come to the conclusion that it would be wise to evaluate switching CAs today, perhaps.
Very often, marketing material and the language used for for that is a good indicator on whether a particular service knows their stuff, or if they appear to peddle fluff... :)
We're all doomed then! Asides from LetsEncrypt, most CA web pages are full of marketing fluff :)
I've just been reading through the mailing list discussion, and from that I agree with you completely, WoSign looks pretty incompetent in their responses. If I had a WoSign certificate, I'd definitely be looking around to get an alternative now. However, that's a bit late for 'people power' to force CAs to act better.
You could say the same about your bank - even though you don't really know how they invest your deposit money, you try and gain an intuition based on other factors (stock price, professionalism, reputation, prestige, etc). Not saying these factors -> a good analysis of the creditworthiness of a financial institution but you get the idea.
How? I've got no way to judge the security / responsibility of any CA. The amount of money that they charge may have no relation to their behaviour. I don't think anyone has claimed that the CAs who issued wrong certs were charging less than their competitors. You can't blame the CA customers for this.