Certificates, Registration and Crypto-agility
By: James Azar
Remember the days when Internet Explorer was the browser? Feels like a long time ago.. and that’s because it was, in terms of technology.
In 2008 Google launched Chrome and it changed everything, the world wide web, for a start looked a hell of a lot better. Fast forward to 2019 ad Statcounter, reported that Chrome has a 59% market share, four times more than any of its rivals.
Now that Chrome is the dominant browser on the market, it’s coming out with surprising changes that will obviously affect tens of thousands of online businesses and sites. Chrome recently announced that any certificate issued by Symantec’s Certificate Authority will no longer be trusted by the browser.
This is not unique to Symantec. In the last few years, there have been several certificate authorities under browser scrutiny. The issue with Symantec started in 2017 when a group of Google researchers found a series of issues with their certificates.
They found that “Symantec had entrusted several organizations with the ability to issue certificates without the appropriate or necessary oversight and had been aware of security deficiencies at these organizations for some time.” This led to the Chrome team losing all confidence in Symantec.
Another example of issues with certificates was discovered with WoSign back in 2015.
They allowed people to register certificates for websites that they had no legal ownership over. It sounds like an extra precaution, to have a certificate, but in the contemporary climate, having a disavowed certificate has a significant impact on the business.
When a company has a bad certificate the browser can restrict site access, the traffic will be reduced and users can grow to mistrust the site. At the same time, it doesn’t seem that these errors are anywhere near coming to an end. There are multiple certificate authorities and no clear way that browsers can check them individually.
So what’s the problem?
You might say, just keep a bunch of extra certificates handy just in case one of them gets disavowed by Chrome or another browser. It’s actually not as easy as that. The security or webmaster team in companies is usually really busy and doesn’t have a quick response in an event of a faulty certificate. It may take days if not weeks to repair the issue, and this proves to be quite a big headache.
What’s the solution?
Instead, the best option for any company is to have crypto-agility - the ability to quickly change certificates and respond to faulty ones. This is done through machine learning, you set up an AI system that constantly scans your websites for faulty certificates and automatically responds and replaces them with good ones.
While 74% of IT security professionals believe that they can find and replace all certificates quickly, only 8% have an automated process in place. In reality, it’s not feasible to do this manually. In fact, another study by Venafi found that only 23% of IT professionals are confident in their ability to replace them.
That’s an interesting bunch of competing data there I guess, the jury is still out on the IT professionals sense of self-esteem. Nevertheless, for all the tens of thousands of companies that don’t have enough IT resources, an automated system for tracking faulty certificates will go a long way.