As businesses reply more and more on machines to meet their operational objectives, the need to validate the identities of these machines is becoming ever more critical. Most machine identities come in the form of SSL/TLS certificates. But there are other types, such as SSH and code signing keys.
As we introduce more TLS machine identities to support digital transformation, we need to answer some difficult questions. For example, does it still make sense to pay more for more secure Extended Validation (EV) or Organization Validated (OV) certificates? Or is it better to increase your use of less expensive or free Domain Validated (DV) certificates? And how will you measure the security of any of these types of certificates without an effective machine identity management program?
More about Extended Validation and Organization Validation certificates
A quick background on EV and OV certificates
In the past, it made perfect sense to use EV certificates for areas where you needed to demonstrate the highest levels of security. And that may still be the case for many business functions. Case in point: EV certificates were credited with boosting confidence in online shopping. However, most consumers today use their mobile devices to make purchases online, and therefore, the value of EV certificates seems to have diminished—mobile browsers don't display EV indicators at all.
Many organizations are willing to pay more for EV certificates in regulated industries, such as banking and healthcare. The key argument for this continued usage is that the expensive EV certificates are more secure than cheaper DV certificates—or even free certificates offered by Certificate Authorities (CA) such as Let’s Encrypt.
Another argument made for EV certificates was that their visible indicators (a green badge appearing on the left of a URL bar) would raise awareness for the visitors of these sites to be more careful with their online behavior. That was far from true. As security researcher Troy Hunt pointed out, the top 10 largest sites, including Google, YouTube, Twitter, and Facebook, don't use EV certificates, so many users aren't trained to look for the indicators that the certificates provide.
And then came the announcements of Google and Firefox, saying that they “remove Extended Validation (EV) indicators from the identity block (the left-hand side of the URL bar which is used to display security / privacy information).” Some announced the death of EV certificates. In fact, I went so far as to write that “it’s the end of the world as we know it” for EV certificates.
Are extended validation SSL certificates gone for good?
Are there new or different use cases for EV and OV certificates now that we’ve seen an explosion of certificates due to DevOps and digital transformation? Scott Carter, Head of Content Strategy at Venafi, has some interesting questions to reflect upon: “Is it worth investing in more secure certificates or just get better machine identity management? And do your consumers notice or care?”
The topic of purchasing EV or OV certificates remains quite controversial. The CAs want to say that EV or OV certificates have more value because they’ve been “validated” but the reality is that these processes have been actively spoofed by attackers, potentially undermining their value.
Research sponsored by Venafi and undertaken by researchers at the Evidence-based Cybersecurity Research Group, at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey uncovered thriving marketplaces for TLS certificates being sold individually, and packaged with a wide range of crimeware. Together these services deliver machine-identities-as-a-service to cybercriminals, who wish to spoof websites, eavesdrop on encrypted traffic, perform man-in-the-middle attacks, and steal sensitive data.
“TLS certificates that act as trusted machine identities are clearly a key part of cybercriminal toolkits—just like bots, ransomware and spyware. There is a lot more research to do in this area, but every organization should be concerned that the certificates used to establish and maintain trust and privacy on the internet are being weaponized and sold as commodities to cybercriminals,” said Kevin Bocek, vice president of security and threat intelligence for Venafi.
That being said, many larger companies still rely on EV and OV certificates. However, given the rapid increase in Let’s Encrypt certificates, there’s clearly a large section of the market that agrees that the use cases for EV or OV may be diminishing with organizations. The flip side of the argument is that the Let’s Encrypt certificates last only 90 days (primarily for security reasons), so you will need to invest in solutions that help you manage these certificates effectively.
Whether you choose DV, EV or OV, machine identity management is critical
With the abundance of machines each organization relies on—ranging from distributed IoT devices to cloud workloads—it’s crucial that they effectively identify and protect the confidentiality, integrity and authenticity of these machines. All digital certificates allow you to encrypt data in transit, authenticate connected devices and ensure the integrity of your data. But none of them are as effective as they could be without a robust machine identity management solution in place.
So, instead of spending your budget to purchase more expensive certificates, you may want to consider the value of investing in strong machine identity management solutions that enable robust management policies and practices. Machine identity management platforms, such as Venafi’s Trust Protection Platform, allow you to automate the entire certificate lifecycle management and dramatically reduce security risks. Machine identity management solutions give you the visibility, intelligence, and automation to protect machine identities throughout your organization.
If you wish to learn more about how Trust Protection Platform can help you, contact our experts. We will be glad to listen to your needs and concerns and find a solution to satisfy your business security requirements.