As we approach SHA-1 deprecation deadlines, we’re going to start seeing more stories about the industry’s lack of preparedness. Occasionally, we expect to see examples of crazy workarounds that attempt to compensate for incomplete migrations.
Enter the Chinese Certificate Authority WoSign, which allegedly issued a number back-dated SHA-1 certificates among other questionable practices. This in itself is troubling. But the cold, hard reality is that this CA may not be the only one to do so.
The big players don’t want to have any part of these shenanigans. Last week Mozilla warned about back-dated SHA-1 intermediate certificates from WoSign. Apple quickly followed suit with even stronger actions. The company plans to block trust for the WoSign’s intermediate CA in an upcoming security update.
Venafi Chief Security Strategist, Kevin Bocek applauds the preemptive strikes taken by Apple and Mozilla. “WoSign and StartCom, their secretly acquired subsidiary, are undermining the global system of trust that runs e-commerce and allows us to safely run downloaded software on our computers and apps for our tablets and phones.”
Despite the obvious implications, the impulse to try to circumvent the deprecated algorithm is understandable. Many organizations are finding it challenging to fully migrate to SHA-1 or higher. First, they lack visibility into their inventory of keys and certificates. And relying on any one CA for tracking only gives them a limited snapshot, especially if that CA isn’t entirely transparent.
How can businesses stay secure in the face of CAs with questionable issuance practices? Certificate transparency is a great start. Uniform standards applied by all browser makers would take the effort even further. But ultimately, organizations need to be proactive and take control of their own keys and certificates.
According to Bocek, “This is a reminder to businesses everywhere why it’s important to have centralized, automated certificate management systems. Without these there is no way to blacklist and eliminate untrusted CAs to protect their network, users and customers."