Despite previous warnings from Google, it appears that Symantec has once again been issuing unvalidated Transport Layer Security (TLS) certificates. On Thursday, security researcher Andrew Ayer uncovered 108 credentials that violated strict industry guidelines—all issued by Symantec-owned certificate authorities (CAs). Even when quickly revoked, Ars Technica reports that these improperly issued certificates have the potential to be misused until they are blacklisted by browsers. Unfortunately, the blacklisting process does not happen in real time, and it’s certainly not automatic.
This most recent Symantec incident reminds us to consider again how much we actually trust CAs. Every bad certificate erodes digital trust. And the ramifications of undermining this trust will continue to escalate with our growing reliance on encryption. Venafi VP of security strategy Kevin Bocek gazes into that troubling future, “We’ve seen a number of CAs, including WoSign and GlobalSign making errors over the past year, and we should expect to see this trend continue.”
So, what do we do about it? Sitting around waiting for an independent researcher to uncover poorly issued certificates isn’t the best plan. To ensure your status as a trusted organization, you need to take matters into your own hands. You need to maintain rigid control of your encryption assets. You need to be prepared to define your own terms of trust. And you need to enforce them. No one else can do this for you.
According to Bocek, “The troubling trend of breaches and errors at CAs should serve as a wakeup call for all businesses -- to protect themselves and their customers every organization needs to be able to quickly, detect unauthorized certificates issued by any CA and remove or replace it.”
The faster you can mitigate a CA error, the less security risk. However, without an alternate destination, speed means nothing. Having a trusted relationship with multiple CAs will give you the available track you need to move quickly. Bocek advises, “It’s also crucial for businesses to have a plan that does not leave them at the mercy of any one CA. They need to be agile enough to remove, change or add a CA at a moment’s notice and the only way to accomplish this is with automation.”
As Bocek notes, there is another component of speed. Reaction time. The very process of locating risky certificates, revoking them, requesting replacements, then installing and validating new certificates can be rather lengthy. Try to do this manually on a large scale and you’ll quickly become overwhelmed. Automating the process, on the other hand, will help you ensure speed and accuracy.
CAs give you the raw material for trust. But it’s up to you to manipulate and control that trust in a way that best defends your organization. Or it will break. “Businesses that are unprepared to detect and respond to CA errors threaten the integrity of encrypted and authenticated Internet traffic,” concludes Bocek.
How quickly can you detect and replace risky certificates across your organization?