Qualys is a sponsor of TechSpective
Organizations are stuck in the middle when it comes to digital certificates. Certificates are table stakes at this point—a business requirement because customers expect a website to be secure. However, proposed changes to the lifespan and expiration of SSL certificates could make effective management more challenging, and—at the same time—use of legitimate certificates by attackers to make malicious websites seem credible undermines the trust people place in them.
Can You Trust the Padlock
Look at the address bar at the top of your browser right now. Do you see the locked padlock next to the TechSpective URL? You should. That lets you know that your connection with this website is secure and encrypted. It tells you that the website is safe and that you can trust it. Or does it?
It does indicate that the website has a certificate and that the connection with that website is encrypted and secure—relatively speaking. However, it does not guarantee that the website itself is not malicious. Cyber criminals are also aware that people are conditioned to look for the green padlock, so many have begun to leverage free certificate authorities (CAs) to obtain certificates for their shady websites as well.
The State of Financial Phishing: 2019-H1—a report from NormShield—points out that the padlock alone doesn’t mean a website is safe—it simply indicates that the domain has a valid SSL or TLS certificate. According to the report, 15% of the potential phishing domains registered in the first half of 2019 impersonated banks using valid certificates.
Cutting Certificate Expiration Time in Half
Cybercriminals undermining trust in digital certificates is less than ideal, but it is not an excuse to stop using them yourself. Businesses still need to maintain digital certificates for their domains. Managing digital certificates is challenging, but it may also get more complex. There is a proposal under consideration to reduce the default expiration of a certificate from 825 days (a little over 2 years) to just 397 days (approximately 13 months).
The issue will not be decided until a vote in March of 2020. Browser vendors have expressed support for the shorter duration, but certificate authorities are pushing back. One goal—ostensibly—is security and reducing the opportunity for attackers to abuse certificates, but some have noted that it may have little or no real world impact in that arena.
In a blog post arguing against the proposal, Timothy Hollebeek, representative for DigiCert, stresses, “This change has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates.”
Challenge of Effective Certificate Management
Regardless of how that vote goes or what the duration of a valid certificate is, keeping an accurate inventory of the certificates in use and staying on top of renewing certificates to ensure they remain valid can be overwhelming. According to a recent Ponemon Institute study, nearly three-fourths of survey participants reported unanticipated downtime or outages resulting from expired or mismanaged certificates.
Many organizations still use manual processes for certificate inventory and management—essentially just filling in fields on a spreadsheet and trying to remember to renew and update certificates before they expire. Expired certificates can cause major disruptions and influence customer confidence, though, so effective certificate management is imperative.
The good news is that it’s the sort of thing that can be automated with relative ease. Organizations should consider something like CertView from Qualys to provide a holistic, integrated view of certificate inventory and management. Rather than struggling with spreadsheets and manual effort, a certificate management tool can identify certificate configuration issues and vulnerabilities. Ideally, the tool should also automatically renew and install updated certificates to ensure organizations don’t experience interruptions that could undermine customer trust.
- Igor Volovich Chats about Cybersecurity Compliance and Accountability - January 31, 2023
- Julie Smith Shares Identity Security Guidance for 2023 - January 19, 2023
- Mark Thomas Talks about Threat Hunting - January 5, 2023