Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


08:19 PM

Four SSL Certificate Management Tips For Holiday E-Commerce Success

Don't let CA compromises, expired SSL certificates break your Internet authentication processes

With Cyber Monday kicking off the first week of hot-and-heavy e-commerce action this holiday season, keeping consumers spending safely is a top-of-mind concern for most retailers. One of the keys to maintaining a smooth and secure customer experience is making sure that nothing "breaks" the process of SSL authentication.

Coming off a year full of certificate authority (CA) compromises, SSL certificate management is more important than ever. The following tips from authentication experts are important considerations for retailers and other organizations that depend on SSL to authenticate user communication and transactions.

1. Avoid Expiration At All Costs
Expiration of certificates is an important part of the security mechanism of certificates, says Jeff Hudson, CEO of Venafi. But it requires organizations to be on their toes to ensure that certificates remain current lest they interrupt the customer experience. At very best, an expired certificate will send up an error message on shoppers' browsers, warning them that the trusted connection is no longer able to be validated. But in some scenarios, an expiration can shut a system down.

"When certificates are used in server-to-server communication, it's not like they pop up a dialogue box that says, 'This certificate has expired or is from an unknown party, would you like to proceed anyway?' When servers communicate with each other, they don't have that option," Hudson says. "If they don't get a correct response from a challenge, they stop working. And sometimes it is hard to tell they're not working. Last year, the Target RedCard system went down for eight hours because of an expired certificate."

2. Know Where Your Certificates Are
Many times the reason why retail outfits and other large organizations allow certificates expiration dates to lapse without any action is that the people in charge of renewing had no clue the certificate existed in the first place.

Organizations with hundreds or thousands of certificates tend to fall down when they manage them all by spreadsheet and spread out the responsibility across server and website owners rather than centrally managing the task.

"The problem with a lot of larger operations is that they tend to manage certificates via spreadsheets, and that can create challenges," says Deena Thomchick, director of product marketing at Symantec.

According to Hudson, it is common for big retailers and other enterprises to not even know how many certificates they have in place.

"We recently walked into a very large retailer and asked them how many certificates they had. They told us 15,000," he says. "When we did a discovery, we determined that they had 30,000."

In order to get control of the situation, it might make sense to automate the discovery process, scan for certificates, and start setting up an automated way to renew certificates before expiration becomes a problem. Once that's done, it is easiest to centralize the whole process by developing infrastructure that allows a central administrator to handle all the certificates, authorizing issuance to individual business unit- or server-owners as they request them. "You want a platform that can accommodate one administrator who oversees all of the different certificates but can also be distributed so that individuals who are responsible for individual servers can tap into a centralized system and make their request," Thomchick says.

3. Don't 'Train' Users To Proceed Past Certificate Errors
In an ideal world, organizations want to train their users to immediately stop a transaction or a communication when a certificate error pops up. That's why expiration is so brutal.

"Under normal practices, if your site admins fall asleep at the wheel and don't renew certificates in time every year, your users are going to get used to that, and when they visit your site they'll say, 'This happens all the time, I'm just going to click 'OK,'" says Nicholas Percoco, senior vice president at Trustwave's SpiderLabs. "So you don't want that to ever happen on your site." But there are other considerations you'll need to think about to keep users from thinking it is OK to trip merrily along past a certificate error. For example, Percoco warns against mixing content on your site.

"That means if you have an https connection, you shouldn't have content pulled in from other places that are on your domain that are sent only over http," he says. "You want to make sure that all pages are over SSL and are tested."

Similarly, make sure that all forms submitted are done so using SSL so that if a customer clicks into a "Contact Us" link in the middle of an e-commerce transaction, no error will crop up in the process.

4. Centralize Management, Diversify Certificate Authorities
While the centralization of certificate management should be a goal for any organization that has to keep track of a multitude of SSL certificates, diversity isn't necessarily a bad thing -- particularly when it comes to the certificate authorities that you use. After the recent issues certificate authorities have faced with compromises, it makes sense for organizations to hedge their bets and work with multiple CAs should future compromises occur.

"Companies have to use multiple CAs. Certificate authorities are a supplier of trust, so if one of them goes bad you can switch with another one," Hudson says.

But the only way to do that is if you are able to easily identify and organize your certificates.

"That way when one of them is compromised, then you'll be able to swap them out with noncompromised ones within a matter of hours, not days or weeks or months," Hudson says. "Imagine if you don't even know where they are installed on your network. How are you going to be able to swap them out then?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 ( and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...