Yesterday, researchers affiliated with Google Chrome dropped a bombshell report on Symantec’s certificate practices. The report claims that the Symantec certificate authority (CA) mis-issued thousands of transport layer security (TLS) certificates. And as a result, Chrome will no longer trust current Symantec certificates. Symantec has already responded to Google’s claims, stating the report is “exaggerated and misleading.”
As the back and forth between Symantec and Google becomes more heated, organizations caught in the middle may face complicated consequences. However, this debate represents just the latest chapter in the already long drama of certificate management.
According to Kevin Bocek, chief security strategist for Venafi: “This is a giant wake-up call for every business. Most organizations don’t have the agility required to be able to move, add or change certificates, keys or CAs in response to external issues like this one. The best possible outcome is that businesses will realize they are going to have to figure out how to deal with these issues. The alternative is to be victimized by these events.”
Back in 2012, Paul Turner, Venafi’s CTO of server products, issued a step-by-step guide on how to develop an effective response plan for CA security incidents and compromises. Turner’s report was issued in conjunction with the National Institute of Standards and Technology’s Information Technology Laboratory. Although this guide is nearly five years old, it still offers excellent direction on how to face current certificate disputes, including the issues brought up in Google and Symantec’s debate.
As Turner writes: “Because organizations so broadly rely upon TLS and SSL to secure systems and data, a CA compromise may require the replacement of end entity certificates, trusted root certificates, or both on hundreds or thousands of systems. To ensure that they can respond in a timely manner, organizations must take preparatory steps and establish well-defined response plans for CA security incidents.”
First and foremost, Turner recommends organizations review and identify all the applications and servers that rely on certificates for security. In addition, it must be noted which of these systems have end entity certificates of their own, or accept public key certificates from other users or servers. For many applications and servers, these conditions are not mutually exclusive. However, many systems may require a different baseline of security practices depending on their set up.
If a certificate compromise occurs, Turner recommends organizations take the following steps
- Ensure that certificates issued to the organization’s systems or users from the compromised CA are revoked.
- Notify all owners of the affected certificates about the CA compromise and establish a point of contact or helpdesk for responding to questions and providing guidance and instructions.
- Replace all certificates from the compromised CA with new certificates from a different CA.
- Ensure that all relying parties have the certificate trust chains required to validate certificates from the new CA.
- Ensure that revocation checking is enabled on all relying party systems.
Bottom line: every organization must be prepared to automate widespread key and certificate management, and they need this ability sooner rather than later. “The number of interconnected machines on networks is growing at a furious pace, which means the use of keys and certificates is increasing at the same rate,” continues Bocek. “Yet, most businesses don’t have any automation in place to help them manage these critical security assets.”