Amazon Web Services has launched the AWS Certificate Manager, designed to protect and manage the private keys used with SSL/TLS certificates.
SSL, and its successor TLS, are industry-standard protocols for encrypting network communications and establishing the identity of websites over the Internet. SSL/TLS provides encryption for sensitive data in transit and authentication using SSL/TLS certificates to establish the identity of a site and secure connections between browsers and applications and the site.
But it usually requires a time-consuming manual process in order to purchase, upload and renew those certificates. AWS Certificate Manager allows a point-and click process, with no need to generate a key pair or certificate signing request (CSR), submit a CSR to a Certificate Authority, or upload and install the certificate once received. Once the certificate is approved, AWS Certificate Manager takes care of deploying certificates, and handles all certificate renewals. The certificates provisioned through the manager are also free, Amazon said.
AWS Certificate Manager also is integrated with other AWS services, so users can provision an SSL/TLS certificate and deploy it with an Elastic Load Balancer or Amazon CloudFront distribution.
While AWS Certificate Manager is a step in the right direction for a wholly encrypted web, some security experts warn not to lean too heavily on it.
"With the launch of Let's Encrypt, we anticipated others would follow in the same footsteps to offer free digital certificates,” Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told Infosecurity. “That's why it's not surprising to see Amazon Web Services (AWS) recently launch their own free digital certificate offering.”
Bocek warned that enterprises do need to realize the risk of utilizing free certificates.
“Cyber-criminals love to take advantage of [free certificates], as we saw recently with hackers using Let's Encrypt certs for malvertising attacks,” he said. “This is just another reason why how you protect keys and certificates is much more important than where you get them.”
He added, “With AWS apps like load balancing, not EC2, it can lock you into using just AWS since it keeps the private keys. Because of this, we caution enterprises about using AWS and any free certs if they are serious about protecting their own IP and their customers' data. While AWS certificates may be good for building quick apps, they cannot provide true enterprise-class security to the Global 5000. Mark my words: it's just a matter of time before we see cyber-criminals leveraging these free AWS certificates to hide in encrypted traffic, masking themselves to go unnoticed while they steal sensitive data."
Bocek isn’t alone in questioning the service. High-Tech Bridge warns that admins should look at data encryption holistically.
"It's a great initiative, however one shouldn't forget that an SSL certificate is just a small part of SSL/TLS data encryption,” said Ilia Kolochenko, CEO at High-Tech Bridge, which offers a free SSL/TSL security checker. “Strong cipher suites, reliable protocols, the latest versions of software and correct configurations are also vitally important. Today many people associate SSL/TLS encryption only with HTTPS, but actually, there are far more protocols that rely on SSL data encryption. Usually people forget to test security and reliability of non-HTTPS services.”
Photo © tanuha2001/Shutterstock.com