It’s Time to Change How We Think About SSL/TLS

Written by

Logjam reminds us of the new reality we face in needing to continuously monitor and manage our SSL/TLS deployment. While many may wish it weren’t so, it’s critical that we pay more attention to digital certificates and secure server configuration and apply updates immediately.

Recent reports show that a large number of Fortune 2000 companies still have not taken every step to remediate Heartbleed threats to their servers.

We’ve seen a rising tide of hacks in recent years, occurring in part because most businesses have no clue how to smartly manage their certificate landscape. With Google’s Certificate Transparency (CT) and new tools to continuously monitor certificate deployment, we can do better. There’s no reason not to know about vulnerable deployments and fix them. It’s time to stem the tide.

As a big first step, the security industry needs to push for stronger authentication across the board. Widespread adoption of CT can help with this, especially by applying it to domain-validation (DV) certificates, which offer little to no value in asserting the true identity of the operator of an HTTPS-enabled site, and are a tool for online fraudsters. Better yet, organizations should push for OV or EV certificates to give end-users certainty of their online identity.

Beyond CT, common mismanagement of digital certificates persists at companies of any size, but the risks are higher at enterprise firms that deploy thousands of secure servers that exchange information over the web. Likewise, companies deploying IoT solutions often struggle to manage certificates across millions of devices. Digital certificates, of course, act as a diploma of sorts that ensures you are who you say you are online.

As I’ve worked both within large enterprise firms and also for a certificate authority, I’ve seen a certain scenario play out repeatedly at big companies.

If 10,000 people work at a company, it’s highly unlikely that there’s one single person responsible for making sure all the certificates are properly deployed, configured and up to date. The result is that no one really knows what certificates are up to date, and what security holes are being created. Companies may be creating security holes, and they don’t even realize it.

Research proves just how confusing all of this can be. According to the Ponemon Institute’s 2015 Cost of Failed Trust Report, 54% of organizations admit to not knowing where all their keys and digital certificates are located – which means security leaders don’t know how certificates are being used or who issued them. 

In my experience, a lot of the people handling the issuance and renewal of certificates either don’t understand or don’t take the time to bother with the risks of poorly deployed SSL/TLS. They’re more concerned with keeping existing systems operational than outside threats.

I’ve worked with enterprise companies that have thousands of websites for their different brands, and they need certificates for everyone. Then acquisitions can occur, and that complicates the management of certificates even further.

The chaos that can surround the management of certificates at big companies creates other problems that make them vulnerable to attacks.

For this example, let’s use a fictitious bank named Bank of Bob. Huge amounts of attackers target companies such as banks to try to issue certificates either in their name, or on domains close to theirs – think of something like, with a zero instead of ‘o’.

"IT security needs to have a malicious mindset and understand that people are out there trying to imitate their company"

Sophisticated phishers set up those fake sites to steal credit card numbers. New solutions offering continuous certificate monitoring may help alert companies to ongoing schemes before it’s too late.

These sorts of scenarios make it obvious: Companies need to start thinking like the bad guys, because a lot of those bad guys are targeting certificate management lapses or weak policies as a way to steal information. And keep this in mind: Companies that handle large amounts of financial information are focused on security 24/7. But that’s not most companies.

At companies of every size and scope, IT security needs to have a malicious mindset and understand that people are out there trying to imitate their company and reap the benefits. 

To combat that reality, it’s critical to closely monitor digital certificates. The good news is that CT and other continuous, largely automated certificate monitoring technologies are now available. In an era where full encryption of the web is becoming closer to reality, certificate monitoring has become a must-have risk mitigation practice.

In the end, what’s most important is that companies and IT pros start paying more attention to digital certificates. It’s one clear-cut way to make the internet more secure, and we can do something about it now.

About the Author

DigiCert chief security officer Jason Sabin brings a malicious mindset to helping protect organizational data, having started out hacking at an early age before turning his attention to white hat security. Sabin holds more than 50 patents in identity authentication and cloud security and has developed products used by most of the Fortune 500 today.

What’s hot on Infosecurity Magazine?