Expired Digital Certificates: A Management Challenge
Hacks on certificate authorities like DigiNotar and Comodo draw headlines, but there's a bigger threat lurking right in your company.
January 13, 2012
Much has been made of the security compromises at digital certificate authorities (CAs) such as DigiNotar and Comodo, leading some industry experts to question the validity of certificates in general.
But a research report by Gartner identifies a more widespread risk to businesses and other enterprises: certificates that expire because the organization does a poor job of keeping track of them. An expired certificate leads to blocked access to a server, website, or other program, which, if it's an internal service, means headaches and downtime, and if it's an external-facing service, can tarnish an organization's reputation.
"Trust is the linchpin for everything we do in our digital world," said Eric Ouellet, a Gartner analyst and co-author of the report "X.509 Certificate Management: Avoiding Downtime and Brand Damage." X.509 is the industry standard format for creating digital certificates, which he likened to a passport or a state-issued drivers license.
Certificates lapse because there are so many of them within an organization and managers often have to manually check a spreadsheet to identify them, determine their expiration dates, and actively renew them so they don't expire. The report says tracking certificates can become unwieldy if there are 200 or more of them within an organization.
[ Concerned about your certificate tracking plan? Don't miss these 4 SSL Certificate Tips to keep your website in the clear. ]
Certificates can be difficult to track if someone creates a certificate and doesn't tell anybody about it, Ouellet said. An example may be a developer who creates a test certificate while writing an application and leaves it there when the app is deployed. In other situations, the developer, the business unit using the app, a system integrator, or an IT security person each engage in finger-pointing with the others over who's responsible for the certificate.
"You need to track these certificates, especially the external-facing ones, because what happens is that if you don't keep track ... they can expire without you being aware of it," Ouellet said.
Manual spreadsheet tracking can also fail if the CA isn't identified, he added. This particular problem has affected users of the DigiNotar CA in the Netherlands. In 2011, 531 stolen DigiNotar certificates endangered popular Internet sites such as Google, Facebook, Twitter, and Skype, as well as government intelligence services such as the CIA (United States), MI6 (Great Britain), and Mossad (Israel).
The result is that DigiNotar went out of business and every certificate it ever issued was instantly invalidated, Ouellet said. Furthermore, all of the leading Web browsers, such as Internet Explorer, Google Chrome, and Firefox, were modified to block DigiNotar certificates. He said it was the equivalent of someone's name being placed on the FBI's No Fly List.
The CA Comodo was also breached in 2011, but that breach was more contained than DigiNotar's, he said, so Comodo certificates are still valid.
But if an organization doesn't track the CA issuing its certificates, it may have invalid DigiNotar certificates and not realize it.
There are automated certificate management systems to discover certificates on a network, identify who issued them, determine their validity, and, in some cases, automatically renew them.
The Gartner report identifies the Venafi Director Series, the Trustwave Certificate Lifecycle Manager, and the Verisign Certificate Intelligence Center as examples. However, while the Venafi and Trustwave offerings manage certificates regardless of the CA that provided them, Verisign's service only manages certificates issued by Verisign, whose certificate business was acquired by Symantec in 2010. (See Comodo Warns Of VeriSign SSL Vulnerability.)
Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)
About the Author
You May Also Like