Following the launch of Chrome 70, any certificate issued by Symantec’s Certificate Authority (CA) before December 1st, 2017 is no longer trusted by the browser. Alongside this, Mozilla is expected to distrust these certificates in its next update, after it was delayed in October 2018. As a result, any website still relying on a Symantec certificate will display a banner telling visitors that the site is insecure, or in some instances will result in a totally inaccessible site.
This is by no means unique to Symantec. Over the past few years, there have been a number of CA’s that have come under scrutiny and browsers are taking an increasingly stern stance when best practice is not adhered to. This security activism should be applauded, but it is also creating challenges for businesses who are being forced to identify, revoke and replace critical certificates at short-notice. So how can businesses keep pace with these changes and remain agile?
The root of the issue
To really understand this problem, we must first take a look at what SSL/TLS certificates are and how they are being used. These certificates are used to authenticate and enable machine-to-machine communications; essentially, they verify that a certain website is what it says it is, by providing an identity which proves it can be trusted. These certificates – or rather, machine identities – are issued via Certificate Authorities; CAs issue millions of identities every year. A CA will issue a certificate to say that the company is genuine, it has secured its web connection, and that a customer should be able to trust that website. Without certificates that secure machine identities, machine-to-machine communication fails.
In the case of Symantec, problems began in 2017 when a team of Google researchers observed a series of issues. In a statement, Google commented that “Symantec had entrusted several organisations with the ability to issue certificates without the appropriate or necessary oversight and had been aware of security deficiencies at these organisations for some time.” This in turn, “caused the Chrome team to lose confidence in the trustworthiness of Symantec’s infrastructure, and as a result, the certificates that have been or will be issued from it.” The first phase of the Symantec distrust began in April 2018.
We have previously witnessed several misdemeanours by other CAs that have led to similar outcomes. One key example was in 2015 when it was discovered users could obtain WoSign certificates for domains they did not administer; these all then needed to be urgently replaced. Continuing to use certificates once they are invalid can have a significant impact on a business, as browsers will often restrict site access, meaning traffic will be reduced and it will ultimately impact business revenue, reputation and customer experience.
Should organisations be switching their certificate authority?
Too many moving parts to handle
Looking to the future, there is no sign that these CA errors will stop. There will always be problems with CAs, or certificates themselves, meaning that companies need to ensure they are in control of their machine identities to remain secure and prevent any revenue loss. However, due to the perceived difficulty of not only managing, but also locating and replacing all impacted machine identities, there will always be sites that don’t migrate in time when changes are required.
Many organisations don’t even have an inventory of machine identities, but they will have certificates from dozens of different CAs. Therefore, the process of replacing those issued from one CA can cause major disruptions in day-to-day activities, and some identities can be easily missed, especially when managed manually.
However, this problem is clearly one already on many IT security professionals’ radar, as a Venafi study found 81% of respondents are concerned about future incidents involving CAs. Yet, only 23% said they were confident in their ability to quickly find and replace all their impacted certificates.
Furthermore, while 74% believe they can find and replace all certificates affected by a CA compromise quickly, shockingly only eight per cent have an automated process in place. In reality, due to the sheer volume of certificates each organisation has, it is impossible to respond quickly to any future CA errors if a business is manging machine identities manually.
What is web security and why is it important for your website
Crypto-agility to the rescue
This is why organisations need crypto-agility – i.e. the ability to manage machine identities in real-time. Crypto-agility enables businesses to quickly identify and replace certificates in bulk when security events or business needs call for it. Currently, many organisations take days or even weeks to find and replace certificates, which isn’t conducive to ensuring security. By automating the process, this process can be resolved at the click of a button.
Crypto-agility has never been more important to ensure businesses can confidently protect themselves and their customers from hackers. This is why organisations must invest in a credible technology to automate the tracking of certificates; it is no longer feasible to do this manually, there are simply too many certificates to track.
Companies focusing too much on protecting usernames and passwords and not enough on machine identities
A future-proof solution
Google’s decision to distrust Symantec certificates doesn’t need to be the end of the world. If companies are able to manage all their machine identities centrally and automate the process, it will enable crypto-agility and ensure they can migrate quickly when a flaw or vulnerability is discovered. By doing so, companies can insulate themselves against the volatility of the CA market, protect their reputation and ensure business continuity for online services.
Written by Scott Carter, Senior Manager – US, Venafi