Certificate revocation is important, if ill-understood, part of enterprise security. In this three-part blog series, I’ll explore why we need it, how you do it, and strategies for maximizing the benefits you get for it.
The use of digital certificates is growing exponentially. In particular, the move to a fully encrypted web is increasing the use of web server certificates. Google’s HTTPS transparency report shows their Chrome browser now handles around 70% of traffic over TLS with similar numbers reported by Mozilla’s Firefox. LetsEncrypt, the quickest growing and one of the largest Certificate Authorities on the web, create around 600,000 free certificates on their platform every single day.
Figure 1: Google Chrome HTTPS Usage
Digital certificates are essential to engendering trust between two otherwise anonymous parties. Certificates are used by our web browsers to ensure that the site we intended to visit really is the one we’ve actually arrived at. In addition to web server certificates, the widespread use of smart cards and the explosion of IoT devices means that certificates are increasingly being used to provide a strong notion of the user and device identity.
Certificates are often installed on to devices by Mobile Device Management (MDM) software or embedded in to smartcards for users to carry in their wallet. Smartcards, despite their small size, are credit card-sized computers that contain just enough computing power to perform a cryptographic operation such as encrypting a number.
Figure 2: Sample smart card with an embedded microcontroller
In order to use certificates for trust and authentication, there are two important security guarantees that they must provide before we accept them.
1. Is the certificate valid?
First and foremost, has the certificate been created by someone that we trust? Does it come signed by a mutually trusted certificate authority? Does the start and expiry dates appear to be valid? Does it match the name of the person or organization providing the certificate to us? Is all of this information consistent with the signed hash of the certificate so that we can be sure it hasn’t been tampered with?
2. Has it been revoked?
In addition to checking the validity, however, it’s also crucial to check whether that certificate has been revoked. If a user leaves an organization, or changes roles, we must revoke the certificate to prevent it from being used in the future. There may have been a vulnerability discovered in our smart cards, so we may need to revoke possibly thousands of cards at a time. In the worst-case scenario, it’s possible that our certificate authority (the third party entrusted to create certificates on our behalf) was compromised and attackers have created valid looking certificates which can be used in anything from phishing to malware campaigns.
When the Heartbleed SSL/TLS vulnerability was announced there was a huge increase in the number of certificates that were revoked since the exploit allowed attackers to potentially see the private key and decrypt all traffic (past, present and future) as a result.
As we can see, there are many situations in which blindly trusting a certificate because the name and date seem valid would be a Very Bad Thing.
When a new application is released, there will often be lots of security devices deployed in an attempt to provide defense in depth. We often see web app firewalls, intrusion detection systems, SIEM solutions, and yet, in the majority of environments, there are few attempts, if any, to check whether a given certificate has been revoked. To make matters worse, since digital certificates are believed to be an extremely strong method of authentication, there is often an over-inflated sense of trust in the cert that a user holds.
Checking the validity of a digital certificate is easy. The information in the cert is digitally signed so we can use cryptographic algorithms to mathematically verify its contents. Checking the revocation status of certs, however, is not so easy. And this is why I see, time and time again, new deployments that rely on the strong cryptographic assertions provided by digital certificates totally undermined by making no attempt to check for revocation.
In my next post, I will outline the specifics involved in revoking certificates.
Come see how Venafi and F5 are working together to simplify machine identity protection at F5 Agility 2018 in Boston, MA August 13-16. For more information on how F5 can help deliver secure authentication please visit f5.com