Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


08:19 PM

Four SSL Certificate Management Tips For Holiday E-Commerce Success

Don't let CA compromises, expired SSL certificates break your Internet authentication processes

With Cyber Monday kicking off the first week of hot-and-heavy e-commerce action this holiday season, keeping consumers spending safely is a top-of-mind concern for most retailers. One of the keys to maintaining a smooth and secure customer experience is making sure that nothing "breaks" the process of SSL authentication.

Coming off a year full of certificate authority (CA) compromises, SSL certificate management is more important than ever. The following tips from authentication experts are important considerations for retailers and other organizations that depend on SSL to authenticate user communication and transactions.

1. Avoid Expiration At All Costs
Expiration of certificates is an important part of the security mechanism of certificates, says Jeff Hudson, CEO of Venafi. But it requires organizations to be on their toes to ensure that certificates remain current lest they interrupt the customer experience. At very best, an expired certificate will send up an error message on shoppers' browsers, warning them that the trusted connection is no longer able to be validated. But in some scenarios, an expiration can shut a system down.

"When certificates are used in server-to-server communication, it's not like they pop up a dialogue box that says, 'This certificate has expired or is from an unknown party, would you like to proceed anyway?' When servers communicate with each other, they don't have that option," Hudson says. "If they don't get a correct response from a challenge, they stop working. And sometimes it is hard to tell they're not working. Last year, the Target RedCard system went down for eight hours because of an expired certificate."

2. Know Where Your Certificates Are
Many times the reason why retail outfits and other large organizations allow certificates expiration dates to lapse without any action is that the people in charge of renewing had no clue the certificate existed in the first place.

Organizations with hundreds or thousands of certificates tend to fall down when they manage them all by spreadsheet and spread out the responsibility across server and website owners rather than centrally managing the task.

"The problem with a lot of larger operations is that they tend to manage certificates via spreadsheets, and that can create challenges," says Deena Thomchick, director of product marketing at Symantec.

According to Hudson, it is common for big retailers and other enterprises to not even know how many certificates they have in place.

"We recently walked into a very large retailer and asked them how many certificates they had. They told us 15,000," he says. "When we did a discovery, we determined that they had 30,000."

In order to get control of the situation, it might make sense to automate the discovery process, scan for certificates, and start setting up an automated way to renew certificates before expiration becomes a problem. Once that's done, it is easiest to centralize the whole process by developing infrastructure that allows a central administrator to handle all the certificates, authorizing issuance to individual business unit- or server-owners as they request them. "You want a platform that can accommodate one administrator who oversees all of the different certificates but can also be distributed so that individuals who are responsible for individual servers can tap into a centralized system and make their request," Thomchick says.

3. Don't 'Train' Users To Proceed Past Certificate Errors
In an ideal world, organizations want to train their users to immediately stop a transaction or a communication when a certificate error pops up. That's why expiration is so brutal.

"Under normal practices, if your site admins fall asleep at the wheel and don't renew certificates in time every year, your users are going to get used to that, and when they visit your site they'll say, 'This happens all the time, I'm just going to click 'OK,'" says Nicholas Percoco, senior vice president at Trustwave's SpiderLabs. "So you don't want that to ever happen on your site." But there are other considerations you'll need to think about to keep users from thinking it is OK to trip merrily along past a certificate error. For example, Percoco warns against mixing content on your site.

"That means if you have an https connection, you shouldn't have content pulled in from other places that are on your domain that are sent only over http," he says. "You want to make sure that all pages are over SSL and are tested."

Similarly, make sure that all forms submitted are done so using SSL so that if a customer clicks into a "Contact Us" link in the middle of an e-commerce transaction, no error will crop up in the process.

4. Centralize Management, Diversify Certificate Authorities
While the centralization of certificate management should be a goal for any organization that has to keep track of a multitude of SSL certificates, diversity isn't necessarily a bad thing -- particularly when it comes to the certificate authorities that you use. After the recent issues certificate authorities have faced with compromises, it makes sense for organizations to hedge their bets and work with multiple CAs should future compromises occur.

"Companies have to use multiple CAs. Certificate authorities are a supplier of trust, so if one of them goes bad you can switch with another one," Hudson says.

But the only way to do that is if you are able to easily identify and organize your certificates.

"That way when one of them is compromised, then you'll be able to swap them out with noncompromised ones within a matter of hours, not days or weeks or months," Hudson says. "Imagine if you don't even know where they are installed on your network. How are you going to be able to swap them out then?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (, contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (, contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.