Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

7/31/2019
07:00 AM
Terry Sweeney
Terry Sweeney
Edge Articles
Connect Directly
Facebook
Twitter
RSS
E-Mail
50%
50%

Keep Your Eye on Digital Certificates

X.509 certificates help secure the identity, privacy, and communication between two endpoints, but these digital certificates also have built-in expirations and must be managed.

As every security professional quickly learns, trusted relationships must be managed. And digital certificates – a standardized, encrypted exchange of credentials between two endpoints – are the medium for managing trust online for more than two decades.

Digital certificates aren't particularly complex from a technical perspective. But they do sport a built-in expiration date that if ignored can bring operations to a screeching halt. While most users manage their certificates manually, a host of products and services have emerged to simplify the task. More on this in a minute.

Digital certificates originally started to keep buyers and sellers in sync in early e-commerce applications. But certificates have evolved in the past few years as essential for all websites, thanks to a change in Google's search algorithms that give greater preference to URLs using digital certificates. Sites with digital certificates show up in the browser bar as https://; a small green padlock graphic shows up in the URL bar of some Web browsers for TLS-protected sites. Non-certificated sites render their address with plain, old http://.

In addition to Google search changes, the Internet of Things (IoT) is also making the market more active. Digital certificates are increasingly being tapped by organizations to better secure IoT's galaxies of instrumented, automated endpoints, experts say.

"Every IoT device needs a certificate to pair up with the mothership that [shows] all the rights and protections are there," notes David Collinson, senior director and analyst at Gartner.

Recent statistics pegged the 2018 global market value of digital certificates at $76.2 million, forecasted to grow about 10% annually to $123.8 million in 2023, according to Research and Markets.

Nuts and Bolts
In a nutshell, digital certificates help organizations ensure identity, privacy, or both. They establish "mutual nonrepudiation"; a sender can't deny sending a message or transaction, and a receiver can't deny receiving it. While a would-be user can create his own digital certificate, an individual or an organization more typically applies to a trusted third-party called a certificate authority (CA).

Using the X.509 standard, which is essentially an encryption standard for how Public Key Infrastructure (PKI) information gets formatted and exchanged, the certificate gets issued for a fee with a number of unique criteria, including a serial number, subject (applicant's name), usage information, as well as public key, associated signature algorithm, and the signature of the issuer.

The certificate also contains "not before" and "not after" fields, which specify how long it's valid. The maximum term of a digital certificate is 27 months – 825 days, to be exact, though most CAs will limit the term to 24 months to help certificate holders avoid inadvertent expiration.

While digital certificates once used Secure Sockets Layer (SSL) as their communications protocol, that's since given way to Transport Layer Security (TLS) as the means for two entities to exchange PKI information and verify the integrity of their connection.

Managing Your Certificates
Certificates need to be managed ... just ask any Mozilla user. While it's not clear whether the issue was neglect or something else, the add-ons for the Firefox Web browser were disabled in early May after the supporting digital certificates expired. Mozilla started requiring digital certificates for add-ons in mid-2016. A workaround was issued within a week, but not before Mozilla incurred lots of trouble tickets and grumbling in user forums.

If you're managing fewer than 100 digital certificates, you can likely use a time-honored management template: the spreadsheet. Some infosec pros get even more basic than that with pen and paper, but a digital document is more easily shared.

"I have a lot of clients with thousands of [endpoints] who do this on a spreadsheet," says John Pironti, president of security consultancy IP Architects. "They just put them in the calendar with an expire alert."

If your workload is exponentially larger, a variety of digital certificate management products are available from vendors including Venafi, Webroot, and CyberReason. They make sure certificates are renewed before their expiration dates and promise seamless security and connectivity.

Both Pironti and Collinson warn digital certificate users and the staff who manage them to be vigilant about attacks aimed at endpoints, especially in IoT applications where there are huge volumes of small devices that are also widely distributed.

"They create an inadvertent vulnerability because it puts keying material out to intermediary devices," Pironti explains. "If an adversary can compromise the device, then they get access to the keying materials."

And bad actors have proved they'll then leverage the underlying cryptoware, which leads to scourges like ransomware. It's one of many tradeoffs associated with encryption organization have to resolve as they deploy it more widely, Pironti warns.

Related Content: 

Image Source: peshkova via Adobe Stock

 

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Hackerproof Tech
50%
50%
Hackerproof Tech,
User Rank: Apprentice
8/17/2019 | 1:22:45 PM
Are certificates really safe?
Thanks for the plain English explanation.

Understanding that certificates supposedly confirm that a given site is the actual site the issues surrounding them are:

1. they can be spoofed. For example Google changes its certificates every week after someone spoofed theirs.

2. they provide huge amounts of metadata to the certifying agent. For example, to reach a website a client must first clear the connection through a third party. that third party can collect data from the client, computer, OS, IP, cookies, and a host of data. As such it offers bad agents an opportunity to sell that data. Google and Cloudflair are two who have that data and compile it. In other terms Certificates may confirm a site is a site but at what cost?

3. If the purpose of a certificate is to encrypt a communications channel, why can't a site simply issue its own one time use encryption? Could it be that Google can't collect data if clients don't go through Google so they make it a requirement?

 

In general the idea of a 'certificate' issued by a third party is simply a bandaid that makes Google and others wealthy rather than encouraging better ideas to provide security, identity and more privacy.

Flash Poll