Cloud

5/16/2018
01:12 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Research Conducted By Comodo Ca Reveals That More Than 1 Million Distrusted Website Certificates From Symantec Remain In Use

Certificate Authority Aims to Help Businesses and Consumers Worldwide Increase Security of Professional and Personal Internet Usage and Prevent Potential Loss of Business

ROSELAND, N.J. – May 16, 2018 –  Comodo CA Limited, a worldwide leader in digital identity solutions, today revealed research results that identified more than one million websites using digital SSL/TLS certificates issued by Symantec Corp. now owned by DigiCert, Inc. that may be at risk. Using a two-step process, which included scanning publicly-available, Comodo CA-owned certification transparency log monitor and search tool (crt.sh) and further verifying via manual reviews of websites believed to be at risk of decertification, Comodo CA found more than one million website certificates worldwide that may be distrusted and will therefore have to be replaced to avoid disruption to the website, creating a significant business continuity and security issues for businesses and their customers. Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Google Chrome and Mozilla Firefox.

“To help businesses and website owners worldwide ensure their sites remain trusted, Comodo CA has been carefully reviewing the universe of digital certificates to determine the scale and scope of distrusted certificates that still exist and help those affected to take swift and appropriate action,” said Bill Holtz, CEO, Comodo CA.

“While we were surprised by these findings, we felt it was critical to responsibly provide this information to help educate businesses and restore global trust and confidence in digital certificates, given their importance in areas such as e-commerce, global communication and the operation of IoT networks.”

“These efforts by Comodo CA demonstrate they’ve taken a leadership position in presenting some very real industry challenges,” said Robert Westervelt, Research Director, IDC Data Security Practice. “These findings are both interesting and a bit troubling.  The fact that we are still seeing more than a million distrusted certificates that are operational as of today, constitutes a big risk, particularly because remediation of the distrusted DigiCert certificates is a labor- and time-intensive process.  Also, release dates of major browser enhancements will be here very soon and this dynamic creates a major risk for enterprises globally and they need to be made aware of it. Otherwise, the financial impact could be significant if consumers cannot trust that websites are safe.”

Which Certificates are Affected?

Last year, Google, Inc., its Chrome team and the PKI community developed a plan to reduce and ultimately remove trust in certificates issued by Symantec, which are now owned by DigiCert. Google communicated that as of July 20, 2018, end users will see certificate error messages on websites that have not replaced these certificates. Additionally, Google has said that as of October 23, 2018, certificates issued by Symantec and now owned by DigiCert before December 01, 2017 will be distrusted and no longer considered valid.

Steps to Take Now

For businesses and website operators seeking to keep their websites operational, Comodo CA suggests the following guidelines:

  • Understand the underlying issues that led to Google’s decision to distrust Symantec, GeoTrust, Thawte & RapidSSL certificates; complete details can be found here in Google Security Blog
  • Scan your network to discover all active certificates in your environment
  • Identify those certificates that were issued prior to December 01, 2017with a Symantec CA root
  • Replace those certificates with a trusted root from a compliant Certificate Authority

 

Comodo CA Research Findings

The Comodo CA testing was completed using a two-step process.  The first step – completed on April 17, 2018 –  revealed that 1.2 million certificates issued by Symantec had not been replaced.  The second step – completed on May 4, 2018 – revealed that more than one million distrusted website certificates were still in use. 

The findings of this testing demonstrate that the unreplaced certificates are a global issue. Of the one million websites still at risk, roughly 25 percent were based in Germany; 15 percent in the United States; 13 percent in the UK; 5 percent in China; 6 percent in Japan with several other countries at 5 percent and below.

Comodo CA released these results to help raise awareness of this issue to businesses, website operators, resellers and consumers worldwide. 

 

About Comodo CA

A trusted advisor by enterprises globally for more than two decades, Comodo CA provides digital identity solutions for businesses of all sizes – protecting their employees, customers, intellectual property and overall brand – from damages caused by fraudsters impersonating people and devices. 

As the largest commercial certificate authority with over 100 million SSL certificates issued worldwide, Comodo CA has the experience and performance to meet the growing need to secure transactions and help create online trust. For more information, visit ComodoCA.com

 

# # #

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19019
PUBLISHED: 2019-01-22
A type confusion vulnerability exists when processing project files in CX-Supervisor (Versions 3.42 and prior). An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.
CVE-2019-6260
PUBLISHED: 2019-01-22
The ASPEED ast2400 and ast2500 Baseband Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host (or from the network in unusual cases where the BMC console u...
CVE-2018-19011
PUBLISHED: 2019-01-22
CX-Supervisor (Versions 3.42 and prior) can execute code that has been injected into a project file. An attacker could exploit this to execute code under the privileges of the application.
CVE-2018-19013
PUBLISHED: 2019-01-22
An attacker could inject commands to delete files and/or delete the contents of a file on CX-Supervisor (Versions 3.42 and prior) through a specially crafted project file.
CVE-2018-19017
PUBLISHED: 2019-01-22
Several use after free vulnerabilities have been identified in CX-Supervisor (Versions 3.42 and prior). When processing project files, the application fails to check if it is referencing freed memory. An attacker could use a specially crafted project file to exploit and execute code under the privil...