Earlier today, an Airbnb customer tweeted that an expired certificate was blocking access to the company’s website. It’s bad enough for an organization to lose business due to a completely avoidable cause. But it’s even worse when customers receive a warning that the site may not be secure because you’ve let a certificate expire. Unfortunately, this type of oversight is not an isolated incident. It happens to companies almost every day. But it doesn’t have to.
(UPDATE 1/23/17)
Over the weekend, Venafi Labs looked at the most prominent, externally facing Airbnb web properties. They were impressed by the overall strength of Airbnb’s cryptographic security posture.
This outage demonstrates that even a company with very good policies and processes may not have complete visibility into their keys and certificates. Even with the best management, websites can experience certificate-related outages.
Venafi director of product marketing Hari Nair noted, “This outage is another example of how organizations like Airbnb should have visibility into all of their digital certificate footprint, as browsers are enforcing best practices as part of certificate security controls. Venafi TrustNet continuously monitors the open web for expired certificates and weak cryptographic attributes and alerts customers on potential issues before they impact end-users”
(Original blog)
Airbnb’s digital certificate – the system that allows machines and software to communicate with authentication and encryption – expired without anyone at Airbnb knowing. Apparently, like many other organizations, Airbnb didn’t have the visibility it needed to discover and replace aging certificates before they impacted business. In this case, the lack of visibility seems to have resulted in an outage. But untracked certificates can also create a situation where certificates are stolen and misused by cyber criminals.
Venafi VP of security strategy, Kevin Bocek outlines the lasting impact of outages such as this. “Customers receive errors which shakes their confidence and results in lost business, not just service outages. Airbnb, like all cloud providers from banks to airlines, is learning a painful lesson about the importance that digital certificates play in our everyday lives.”
What do businesses need to do to avoid the impacts of certificate-related outages? First and foremost, it is essential that they maintain complete visibility by discovering, tracking, and continuously monitoring all digital certificates. Many businesses have tried doing this with spreadsheets, vulnerability scanners, and CAs. Most have learned how easy it is to fail.
The answer is automation. With an automated solution, organizations have what it takes to discover and replace certificates in seconds across dozens of CAs, well before expiration. Bocek underscores the importance of automation in cases like this. “Airbnb is finding out that automated system to manage and protect all keys and certificates are as important as mobile applications and customer experience.”
But the underlying message is that all organizations need to remain hyper vigilant of their security posture. And securing keys and certificates plays a vital part of that overall security. “We live in a digital world that relies on physical, virtual and cloud machines to deliver critical service that govern everything from healthcare to hospitality,” concludes Bocek. “Nearly every business around the world is vulnerable to these kinds of problems and shouldn’t rest until this problem is solved.”
Do you know if any of your organization’s certificates are about to expire?