Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

5/16/2018
01:12 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Research Conducted By Comodo Ca Reveals That More Than 1 Million Distrusted Website Certificates From Symantec Remain In Use

Certificate Authority Aims to Help Businesses and Consumers Worldwide Increase Security of Professional and Personal Internet Usage and Prevent Potential Loss of Business

ROSELAND, N.J. – May 16, 2018 –  Comodo CA Limited, a worldwide leader in digital identity solutions, today revealed research results that identified more than one million websites using digital SSL/TLS certificates issued by Symantec Corp. now owned by DigiCert, Inc. that may be at risk. Using a two-step process, which included scanning publicly-available, Comodo CA-owned certification transparency log monitor and search tool (crt.sh) and further verifying via manual reviews of websites believed to be at risk of decertification, Comodo CA found more than one million website certificates worldwide that may be distrusted and will therefore have to be replaced to avoid disruption to the website, creating a significant business continuity and security issues for businesses and their customers. Failure to replace these certificates will result in site breakage in upcoming versions of major browsers, including Google Chrome and Mozilla Firefox.

“To help businesses and website owners worldwide ensure their sites remain trusted, Comodo CA has been carefully reviewing the universe of digital certificates to determine the scale and scope of distrusted certificates that still exist and help those affected to take swift and appropriate action,” said Bill Holtz, CEO, Comodo CA.

“While we were surprised by these findings, we felt it was critical to responsibly provide this information to help educate businesses and restore global trust and confidence in digital certificates, given their importance in areas such as e-commerce, global communication and the operation of IoT networks.”

“These efforts by Comodo CA demonstrate they’ve taken a leadership position in presenting some very real industry challenges,” said Robert Westervelt, Research Director, IDC Data Security Practice. “These findings are both interesting and a bit troubling.  The fact that we are still seeing more than a million distrusted certificates that are operational as of today, constitutes a big risk, particularly because remediation of the distrusted DigiCert certificates is a labor- and time-intensive process.  Also, release dates of major browser enhancements will be here very soon and this dynamic creates a major risk for enterprises globally and they need to be made aware of it. Otherwise, the financial impact could be significant if consumers cannot trust that websites are safe.”

Which Certificates are Affected?

Last year, Google, Inc., its Chrome team and the PKI community developed a plan to reduce and ultimately remove trust in certificates issued by Symantec, which are now owned by DigiCert. Google communicated that as of July 20, 2018, end users will see certificate error messages on websites that have not replaced these certificates. Additionally, Google has said that as of October 23, 2018, certificates issued by Symantec and now owned by DigiCert before December 01, 2017 will be distrusted and no longer considered valid.

Steps to Take Now

For businesses and website operators seeking to keep their websites operational, Comodo CA suggests the following guidelines:

  • Understand the underlying issues that led to Google’s decision to distrust Symantec, GeoTrust, Thawte & RapidSSL certificates; complete details can be found here in Google Security Blog
  • Scan your network to discover all active certificates in your environment
  • Identify those certificates that were issued prior to December 01, 2017with a Symantec CA root
  • Replace those certificates with a trusted root from a compliant Certificate Authority

 

Comodo CA Research Findings

The Comodo CA testing was completed using a two-step process.  The first step – completed on April 17, 2018 –  revealed that 1.2 million certificates issued by Symantec had not been replaced.  The second step – completed on May 4, 2018 – revealed that more than one million distrusted website certificates were still in use. 

The findings of this testing demonstrate that the unreplaced certificates are a global issue. Of the one million websites still at risk, roughly 25 percent were based in Germany; 15 percent in the United States; 13 percent in the UK; 5 percent in China; 6 percent in Japan with several other countries at 5 percent and below.

Comodo CA released these results to help raise awareness of this issue to businesses, website operators, resellers and consumers worldwide. 

 

About Comodo CA

A trusted advisor by enterprises globally for more than two decades, Comodo CA provides digital identity solutions for businesses of all sizes – protecting their employees, customers, intellectual property and overall brand – from damages caused by fraudsters impersonating people and devices. 

As the largest commercial certificate authority with over 100 million SSL certificates issued worldwide, Comodo CA has the experience and performance to meet the growing need to secure transactions and help create online trust. For more information, visit ComodoCA.com

 

# # #

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15142
PUBLISHED: 2020-08-14
In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution.
CVE-2020-15145
PUBLISHED: 2020-08-14
In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` in order to get elevated comman...
CVE-2020-9708
PUBLISHED: 2020-08-14
The resolveRepositoryPath function doesn't properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access of private Git repositories as long as the malicious user knows or brute-forces the location of the r...
CVE-2020-15141
PUBLISHED: 2020-08-14
In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk.
CVE-2020-22721
PUBLISHED: 2020-08-14
A File Upload Vulnerability in PNotes - Andrey Gruber PNotes.NET v3.8.1.2 allows a local attacker to execute arbitrary code via the Miscellaneous " External Programs by uploading the malicious .exe file to the external program.