Scott Carter, Senior Manager–USA, Venafi, discusses Symantec’s lack of confidence in the certificate authority and how this poses a broader problem in the industry, as a number of CA ‘s have been scrutinized in recent years.
After the launch of Chrome 70, the browser no longer trusts any certificate issued by the Symantec Certificate Authority (CA) before 1 December 2017. In addition, after being delayed in October 2018, Mozilla is expected to distrust these certificates in its next update. As a result, any website that still relies on a Symantec certificate displays a banner that tells visitors that the site is insecure or that it results in a totally inaccessible site in some cases.
This is no different from Symantec. In recent years, a number of CA ‘s have been scrutinized and browsers take an increasingly stern stance when best practices are not followed. This security activism should be welcomed, but it also creates challenges for companies that must shortly identify, revoke and replace critical certificates. So how can companies keep pace and remain agile?
The root of the problem
To understand this problem, we have to look first at what SSL / TLS certificates are and how they are used. These certificates are used to authenticate and enable machine – to – machine communications; they essentially verify that a certain website is what it says by providing an identity that demonstrates that it can be trusted. These certificates–or rather, machine identities–are issued through certificate authorities. A CA will issue a certificate stating that the company is genuine, that it has secured its web connection and that a customer can trust the website. Machine – to – machine communication fails without certificates that ensure machine identities.
Problems with Symantec began in 2017 when a team of Google researchers noticed a number of problems. In a statement, Google commented that ” Symantec had entrusted several organizations with the ability to issue certificates without adequate or necessary supervision and had been aware of security deficiencies in these organizations for some time. ” This, in turn, ” caused the Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure and, consequently, the certificates.
We have seen several misdeeds of other CAs that have led to similar results. One key example was in 2015, when users were discovered that they could obtain WoSign certificates for domains they did not administer, all of which had to be replaced urgently. Continuing to use certificates once they are invalid can have a major impact on a company, as browsers often restrict access to the site, reducing traffic and ultimately affecting business revenue, reputation and customer experience.
Should their certificate authority be changed?
What are the reasons why agility for security teams is so important when changing certificate authorities? There are too many moving parts to deal with looking ahead, there is no sign that these CA errors will stop. There will always be problems with CAs or certificates themselves, which means that companies must ensure that they control their machine identities so that they remain secure and avoid any loss of revenue. However, because of the perceived difficulty not only in managing, but also in locating and replacing all impacted machine identities, there are always sites that do not migrate in time when changes are necessary.
Many organizations do not even have a machine identity inventory, but they have certificates from dozens of CAs. The process of replacing those issued from a CA can therefore cause major disruptions in daily activities and some identities can easily be missed, especially when managed manually.
This problem, however, is obviously already one on the radar of many IT security professionals, as a Venafi study found that 81 percent of respondents were concerned about future CA incidents. However, only 23% said that they were confident that they could quickly find and replace all their certificates.
In addition, while 74 percent believe that they can quickly find and replace all CA-affected certificates, only 8 percent have an automated process in place. In fact, because each organization has a sheer volume of certificates, it is impossible to respond quickly to future CA errors if a company manages machine identities manually.
What web security is and why it is important for your website?
In the age of the Internet, you simply cannot afford to do business without being online, and keeping your website secure should be a top priority. Ability to manage the real – time machine identities. Crypto-agility allows companies to quickly identify and replace certificates in large quantities when security events or business needs require them. At present, it takes days or even weeks for many organizations to find and replace certificates that do not guarantee safety. This process can be solved by clicking a button by automating the process.
Cryptoagility was never more important to ensure that companies can protect themselves and their customers against hackers with confidence. This is why organizations must invest in a credible technology to automate certificate tracking; this cannot be done manually anymore, there are simply too many certificates to track. Companies that focus too much on protecting usernames and passwords are not enough on machine identities.
A new study by Venafi and Forrester shows that companies face difficulties protecting machine identities
Google’s decision to distrust Symantec certificates must not be the end of the world. If companies can centrally manage all their machine identities and automate the process, cryptoagility is enabled and they can migrate quickly if a defect or vulnerability is detected. In so doing, companies can isolate themselves from the volatility of the CA market, protect their reputation and ensure continuity of business for online services.