Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //


08:19 PM

Four SSL Certificate Management Tips For Holiday E-Commerce Success

Don't let CA compromises, expired SSL certificates break your Internet authentication processes

With Cyber Monday kicking off the first week of hot-and-heavy e-commerce action this holiday season, keeping consumers spending safely is a top-of-mind concern for most retailers. One of the keys to maintaining a smooth and secure customer experience is making sure that nothing "breaks" the process of SSL authentication.

Coming off a year full of certificate authority (CA) compromises, SSL certificate management is more important than ever. The following tips from authentication experts are important considerations for retailers and other organizations that depend on SSL to authenticate user communication and transactions.

1. Avoid Expiration At All Costs
Expiration of certificates is an important part of the security mechanism of certificates, says Jeff Hudson, CEO of Venafi. But it requires organizations to be on their toes to ensure that certificates remain current lest they interrupt the customer experience. At very best, an expired certificate will send up an error message on shoppers' browsers, warning them that the trusted connection is no longer able to be validated. But in some scenarios, an expiration can shut a system down.

"When certificates are used in server-to-server communication, it's not like they pop up a dialogue box that says, 'This certificate has expired or is from an unknown party, would you like to proceed anyway?' When servers communicate with each other, they don't have that option," Hudson says. "If they don't get a correct response from a challenge, they stop working. And sometimes it is hard to tell they're not working. Last year, the Target RedCard system went down for eight hours because of an expired certificate."

2. Know Where Your Certificates Are
Many times the reason why retail outfits and other large organizations allow certificates expiration dates to lapse without any action is that the people in charge of renewing had no clue the certificate existed in the first place.

Organizations with hundreds or thousands of certificates tend to fall down when they manage them all by spreadsheet and spread out the responsibility across server and website owners rather than centrally managing the task.

"The problem with a lot of larger operations is that they tend to manage certificates via spreadsheets, and that can create challenges," says Deena Thomchick, director of product marketing at Symantec.

According to Hudson, it is common for big retailers and other enterprises to not even know how many certificates they have in place.

"We recently walked into a very large retailer and asked them how many certificates they had. They told us 15,000," he says. "When we did a discovery, we determined that they had 30,000."

In order to get control of the situation, it might make sense to automate the discovery process, scan for certificates, and start setting up an automated way to renew certificates before expiration becomes a problem. Once that's done, it is easiest to centralize the whole process by developing infrastructure that allows a central administrator to handle all the certificates, authorizing issuance to individual business unit- or server-owners as they request them. "You want a platform that can accommodate one administrator who oversees all of the different certificates but can also be distributed so that individuals who are responsible for individual servers can tap into a centralized system and make their request," Thomchick says.

3. Don't 'Train' Users To Proceed Past Certificate Errors
In an ideal world, organizations want to train their users to immediately stop a transaction or a communication when a certificate error pops up. That's why expiration is so brutal.

"Under normal practices, if your site admins fall asleep at the wheel and don't renew certificates in time every year, your users are going to get used to that, and when they visit your site they'll say, 'This happens all the time, I'm just going to click 'OK,'" says Nicholas Percoco, senior vice president at Trustwave's SpiderLabs. "So you don't want that to ever happen on your site." But there are other considerations you'll need to think about to keep users from thinking it is OK to trip merrily along past a certificate error. For example, Percoco warns against mixing content on your site.

"That means if you have an https connection, you shouldn't have content pulled in from other places that are on your domain that are sent only over http," he says. "You want to make sure that all pages are over SSL and are tested."

Similarly, make sure that all forms submitted are done so using SSL so that if a customer clicks into a "Contact Us" link in the middle of an e-commerce transaction, no error will crop up in the process.

4. Centralize Management, Diversify Certificate Authorities
While the centralization of certificate management should be a goal for any organization that has to keep track of a multitude of SSL certificates, diversity isn't necessarily a bad thing -- particularly when it comes to the certificate authorities that you use. After the recent issues certificate authorities have faced with compromises, it makes sense for organizations to hedge their bets and work with multiple CAs should future compromises occur.

"Companies have to use multiple CAs. Certificate authorities are a supplier of trust, so if one of them goes bad you can switch with another one," Hudson says.

But the only way to do that is if you are able to easily identify and organize your certificates.

"That way when one of them is compromised, then you'll be able to swap them out with noncompromised ones within a matter of hours, not days or weeks or months," Hudson says. "Imagine if you don't even know where they are installed on your network. How are you going to be able to swap them out then?"

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...