Digital certificates are an important component of authentication and secure transmission of data over the Internet. A valid digital certificate helps ensure that only trusted users and devices are allowed to connect to an organization’s networks, and it helps confirm authenticity of a website to a web browser. When the machine identity management process is effective and robust, the demonstration of a valid certificate confirms to Internet users that the web address that they entered their browser can be trusted. But if you have unknown or unmanaged certificates in your network, it may be difficult for you to track who’s using these “rogue” certificates and for what purpose.
Background: how digital certificates authenticate individuals and devices
The certificate that you are probably most familiar with is the Transport Layer Security (TLS)/ Secure Socket Layer (SSL) certificate. When you connect to the website of your favorite retailer you are likely confident that you are browsing a secure website because companies engaged in ecommerce must include a certificate on their web server to demonstrate that customer personal data, company data and financial transactions are secure. A quick check to see the Hypertext Transfer Protocol Secure (HTTPS) designation at the start of the ecommerce website confirms that communication with the web address is secure.
Certificates are trusted credentials for authentication. Authentication is the process of establishing that someone or something is who or what it purports to be. It answers the question of whether John is truly John or whether www.Gooogle.com is truly Google’s website. The process of authentication establishes trust. Certificates authenticate users, devices or websites. But where does the certificate come from? Hopefully, from a trusted source.
Valid certificates are issued by Certificate Authorities (CA), which are trusted, authorized entities that create, sign, issue, and revoke public key certificates. When the CA issues a certificate, it signs it with a key. The certificate can be trusted as long as the key was signed by a trusted root, or an intermediate root that was signed by a trusted root. As discussed below, certain events, however, may compromise this chain of trust.
As it relates to certificates that were signed by a trusted root, vendors of operating systems and browsers maintain a trust store, which is a collection of root certificates that are trusted by default. Each vendor has its own standards and requirements for root certificates. In general, each of them requires an issuing CA to undergo one or more audits to prove their trustworthiness, validity and conformance with the CA/B Forum Baseline Requirements before their root certificate is included. As robust as this process is, cybercriminals have still found ways to circumvent it and misuse those high levels of trust.
What is a rogue certificate and how do attackers gain access to it?
A rogue certiﬁcate is a seemingly valid certiﬁcate issued by a trusted CA which is either compromised or issued to a wrong entity. These certificates are trusted by web browsers and users, but they are not trustworthy. For an attacker or bad actor, obtaining a rogue certificate is a huge win because it allows them to operate under a false identity as they gain access to networks and sensitive data.
Rogue certificates allow attackers to bypass traditional security controls because they’ve essentially gained access to the “holy grail” (e.g., the private key) that is necessary for digital certificates to effectively secure communications and data against unauthorized use. The following are ways in which a rogue certificate may be obtained and misused by an attacker or bad actor:
- Through impersonation of a user or website
- Through CA compromise due to a security incident involving the issuing CA’s system security
- Through Registration authority (RA) compromise due to failure to validate a certificate
Earlier this year, Mimecast, the cloud email management software company, disclosed that a Mimecast-issued certificate provided to certain customers to authenticate Mimecast products to Microsoft 365 Exchange Web Services was compromised by a "a sophisticated threat actor." To determine the cause of the compromise, the company engaged a third-party forensics expert to perform an investigation.
As early as 2013, and as recent as earlier this year, Camerfirma, a CA based in Spain, used sub-standard security practices and certificate management practices while issuing TLS certificates for clients, which included Google. For example, it was documented that in addition to incidents of improper certificate issuance, the company also failed to revoke certificates. Non-compliance and failure to use industry best standards may result in a bad actor obtaining a rogue certificate.
How we can protect ourselves against rogue certificates
Visibility is key to protecting against rogue certificates. The following offer protection against bad actors who use rogue certificates:
- Using automated tools that provide real-time threat intelligence and alerts
- Submitting a record of SSL/TLS certification issuance to the Certificate Transparency log
- Using a certificate management platform to keep pace with operational needs (e.g., mass certification revocation/replacement), industry best practice and compliance requirements
Act proactively, avoid harm
Visibility into your entire digital certificate landscape is necessary to protect against rogue certificates and effectively manage certificates and protect against all the associated risks. The earlier the organization can detect a threat, the sooner it will be able to mitigate risks. Prevent certificate compromises through effective monitoring and detection tools, securing certificates and keys against bad actors searching for certificate management vulnerabilities and automating certificate management processes to mitigate any risks associated with human error. Lastly, when an organization learns that the CA that they’ve engaged to issue their certificates issues them in a manner that creates risk for their customers, the organization should discontinue using that CA’s certificates and remove them from their Trust Store. This will support efforts to maintain public trust and avoid potential reputational harm.
The Venafi TLS Protect solution can help you discover how many keys and certificates you have across environments to find out how strong they are and where they are installed. Then you can automate replacement, monitor who’s using your machine identities and exactly what they are doing.