As every security professional quickly learns, trusted relationships must be managed. And digital certificates – a standardized, encrypted exchange of credentials between two endpoints – are the medium for managing trust online for more than two decades.
Digital certificates aren't particularly complex from a technical perspective. But they do sport a built-in expiration date that if ignored can bring operations to a screeching halt. While most users manage their certificates manually, a host of products and services have emerged to simplify the task. More on this in a minute.
Digital certificates originally started to keep buyers and sellers in sync in early e-commerce applications. But certificates have evolved in the past few years as essential for all websites, thanks to a change in Google's search algorithms that give greater preference to URLs using digital certificates. Sites with digital certificates show up in the browser bar as https://; a small green padlock graphic shows up in the URL bar of some Web browsers for TLS-protected sites. Non-certificated sites render their address with plain, old http://.
In addition to Google search changes, the Internet of Things (IoT) is also making the market more active. Digital certificates are increasingly being tapped by organizations to better secure IoT's galaxies of instrumented, automated endpoints, experts say.
"Every IoT device needs a certificate to pair up with the mothership that [shows] all the rights and protections are there," notes David Collinson, senior director and analyst at Gartner.
Recent statistics pegged the 2018 global market value of digital certificates at $76.2 million, forecasted to grow about 10% annually to $123.8 million in 2023, according to Research and Markets.
Nuts and Bolts
In a nutshell, digital certificates help organizations ensure identity, privacy, or both. They establish "mutual nonrepudiation"; a sender can't deny sending a message or transaction, and a receiver can't deny receiving it. While a would-be user can create his own digital certificate, an individual or an organization more typically applies to a trusted third-party called a certificate authority (CA).
Using the X.509 standard, which is essentially an encryption standard for how Public Key Infrastructure (PKI) information gets formatted and exchanged, the certificate gets issued for a fee with a number of unique criteria, including a serial number, subject (applicant's name), usage information, as well as public key, associated signature algorithm, and the signature of the issuer.
The certificate also contains "not before" and "not after" fields, which specify how long it's valid. The maximum term of a digital certificate is 27 months – 825 days, to be exact, though most CAs will limit the term to 24 months to help certificate holders avoid inadvertent expiration.
While digital certificates once used Secure Sockets Layer (SSL) as their communications protocol, that's since given way to Transport Layer Security (TLS) as the means for two entities to exchange PKI information and verify the integrity of their connection.
Managing Your Certificates
Certificates need to be managed ... just ask any Mozilla user. While it's not clear whether the issue was neglect or something else, the add-ons for the Firefox Web browser were disabled in early May after the supporting digital certificates expired. Mozilla started requiring digital certificates for add-ons in mid-2016. A workaround was issued within a week, but not before Mozilla incurred lots of trouble tickets and grumbling in user forums.
If you're managing fewer than 100 digital certificates, you can likely use a time-honored management template: the spreadsheet. Some infosec pros get even more basic than that with pen and paper, but a digital document is more easily shared.
"I have a lot of clients with thousands of [endpoints] who do this on a spreadsheet," says John Pironti, president of security consultancy IP Architects. "They just put them in the calendar with an expire alert."
If your workload is exponentially larger, a variety of digital certificate management products are available from vendors including Venafi, Webroot, and CyberReason. They make sure certificates are renewed before their expiration dates and promise seamless security and connectivity.
Both Pironti and Collinson warn digital certificate users and the staff who manage them to be vigilant about attacks aimed at endpoints, especially in IoT applications where there are huge volumes of small devices that are also widely distributed.
"They create an inadvertent vulnerability because it puts keying material out to intermediary devices," Pironti explains. "If an adversary can compromise the device, then they get access to the keying materials."
And bad actors have proved they'll then leverage the underlying cryptoware, which leads to scourges like ransomware. It's one of many tradeoffs associated with encryption organization have to resolve as they deploy it more widely, Pironti warns.
- Getting Up to Speed with "Always-On SSL"
- What's Next After HTTPS: A Fully Encrypted Web?
- New Zombie 'POODLE' Attack Bred from TLS Flaw
- Abusing X.509 Digital Certificates for Covert Data Exchange
Image Source: peshkova via Adobe Stock