Most IT security professionals believe there will be a major Certificate Authority breach within the next 24 months, yet most are unprepared to respond to such a compromise, according to new Black Hat research from Venafi.
The digital cert security firm interviewed attendees at this year’s show in Las Vegas to compile its report: IT Security Professionals Know the Risk of Untrusted Certificates and Issuers, but Do Nothing.
It revealed that 90% think a leading CA will be breached in the next two years, in the manner of DigiNotar, yet 57% would be unprepared to deal promptly with it. Even worse, 30% either did not know what they would do or would continue using the same CA in such an event.
In fact, the study revealed a worrying lack of insight on the part of security professionals into the workings of the Certificate Authority industry.
A majority (63%) replied that they either don’t know, or believe incorrectly that a CA secures certificates and cryptographic keys – when in fact they merely issue and revoke keys and don’t monitor their use in the wild, Venafi said.
This lack of understanding is reflected in the fact that three-quarters (74%) of respondents have still taken no action to remove Chinese CA CNNIC from their desktops, laptops and mobile devices, despite the authority having been officially deemed untrustworthy by Google and Mozilla.
This is also despite the fact that many security pros understand the risks of an untrustworthy CA – with 58% of respondents claiming they were worried about the risk of MITM attacks from rogue certificate authorities.
Google decided back in April that the CNNIC root and EV CAs “will no longer be recognized in Google products” after an intermediate CA approved by the Chinese giant issued fake Google certs for several domains inside its test network.