Coming off a year full of certificate authority (CA) compromises, SSL certificate management is more important than ever. The following tips from authentication experts are important considerations for retailers and other organizations that depend on SSL to authenticate user communication and transactions.
1. Avoid Expiration At All Costs
Expiration of certificates is an important part of the security mechanism of certificates, says Jeff Hudson, CEO of Venafi. But it requires organizations to be on their toes to ensure that certificates remain current lest they interrupt the customer experience. At very best, an expired certificate will send up an error message on shoppers' browsers, warning them that the trusted connection is no longer able to be validated. But in some scenarios, an expiration can shut a system down.
"When certificates are used in server-to-server communication, it's not like they pop up a dialogue box that says, 'This certificate has expired or is from an unknown party, would you like to proceed anyway?' When servers communicate with each other, they don't have that option," Hudson says. "If they don't get a correct response from a challenge, they stop working. And sometimes it is hard to tell they're not working. Last year, the Target RedCard system went down for eight hours because of an expired certificate."
2. Know Where Your Certificates Are
Many times the reason why retail outfits and other large organizations allow certificates expiration dates to lapse without any action is that the people in charge of renewing had no clue the certificate existed in the first place.
Organizations with hundreds or thousands of certificates tend to fall down when they manage them all by spreadsheet and spread out the responsibility across server and website owners rather than centrally managing the task.
"The problem with a lot of larger operations is that they tend to manage certificates via spreadsheets, and that can create challenges," says Deena Thomchick, director of product marketing at Symantec.
According to Hudson, it is common for big retailers and other enterprises to not even know how many certificates they have in place.
"We recently walked into a very large retailer and asked them how many certificates they had. They told us 15,000," he says. "When we did a discovery, we determined that they had 30,000."
In order to get control of the situation, it might make sense to automate the discovery process, scan for certificates, and start setting up an automated way to renew certificates before expiration becomes a problem. Once that's done, it is easiest to centralize the whole process by developing infrastructure that allows a central administrator to handle all the certificates, authorizing issuance to individual business unit- or server-owners as they request them. "You want a platform that can accommodate one administrator who oversees all of the different certificates but can also be distributed so that individuals who are responsible for individual servers can tap into a centralized system and make their request," Thomchick says.
3. Don't 'Train' Users To Proceed Past Certificate Errors
In an ideal world, organizations want to train their users to immediately stop a transaction or a communication when a certificate error pops up. That's why expiration is so brutal.
"Under normal practices, if your site admins fall asleep at the wheel and don't renew certificates in time every year, your users are going to get used to that, and when they visit your site they'll say, 'This happens all the time, I'm just going to click 'OK,'" says Nicholas Percoco, senior vice president at Trustwave's SpiderLabs. "So you don't want that to ever happen on your site." But there are other considerations you'll need to think about to keep users from thinking it is OK to trip merrily along past a certificate error. For example, Percoco warns against mixing content on your site.
"That means if you have an https connection, you shouldn't have content pulled in from other places that are on your domain that are sent only over http," he says. "You want to make sure that all pages are over SSL and are tested."
Similarly, make sure that all forms submitted are done so using SSL so that if a customer clicks into a "Contact Us" link in the middle of an e-commerce transaction, no error will crop up in the process.
4. Centralize Management, Diversify Certificate Authorities
While the centralization of certificate management should be a goal for any organization that has to keep track of a multitude of SSL certificates, diversity isn't necessarily a bad thing -- particularly when it comes to the certificate authorities that you use. After the recent issues certificate authorities have faced with compromises, it makes sense for organizations to hedge their bets and work with multiple CAs should future compromises occur.
"Companies have to use multiple CAs. Certificate authorities are a supplier of trust, so if one of them goes bad you can switch with another one," Hudson says.
But the only way to do that is if you are able to easily identify and organize your certificates.
"That way when one of them is compromised, then you'll be able to swap them out with noncompromised ones within a matter of hours, not days or weeks or months," Hudson says. "Imagine if you don't even know where they are installed on your network. How are you going to be able to swap them out then?"
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.