Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


02:00 PM
Chris Hickman
Chris Hickman
Connect Directly
E-Mail vvv

Proposed Browser Security Guidelines Would Mean More Work for IT Teams

CA/Browser Forum wants SSL certificates to expire after a year. Many businesses that rely on them aren't equipped to cope.

For years, Secure Sockets Layer (SSL) certificates — a digital tool used to allow secure web connections between a web server and web browser — has been a baseline for a business's digital trust. The padlock icon and https forward that appear in the address bar are an easy way for website visitors to gauge whether the site they're visiting is "trusted."

Behind the scenes, SSL certificates, issued by certification authorities and approved/rejected by the big browser manufacturers, are updated and replaced every two years to ensure the certificates remain secure. This cycling is a process designed to ensure certificate authenticity and keep certificates current. SSL certificates are just one of a number of public and private certificates that IT teams manage on behalf of their business — across websites, devices, and software.

At the enterprise level, certificate management can be overwhelming. Highly skilled public key infrastructure (PKI) staff spend considerable time locating, revoking, and reissuing rolling certificates. For most businesses, this effort is time consuming, expensive, and managed manually with scarce resources, making certificate management prone to errors. Our research shows that 71% of businesses don't even know how many certificates they have — leaving them ill-equipped to revoke and reissue at scale.

Founded in 2005, the CA/Browser Forum is a group of certification authorities and browser makers (such as Google, Safari, and Firefox) that work together to design processes that ultimately help make the Internet safer. In August, the Forum and its members announced a proposal to reduce the length of time that SSL/TLS certificates can be used to protect web servers. This has created considerable discussion about the benefits of shortened certificate lifetimes versus the additional management overhead required by users of these certificates to rotate them more frequently.

We know that many of the standards that govern IT, like those being recommended by the CA/Browser Forum, are often designed with good intentions; however, the operational effects can be considerable. If these new standards are adopted, organizations will be forced to rotate certificates every year rather than every two years (as is today's practice), resulting in higher labor costs required to manage certificates. Certificate management continues to be a manual process for most businesses; a shortened lifespan means IT teams will have to invest twice the amount of time to manage rolling certificates, which produces at least a 2X outage and configuration misstep risk.

Per the proposal, the new standards would be effective March 2020, which doesn't give businesses much time to pivot. Collectively, digitization means that most businesses today manage thousands of public and private certificates, across systems, software, and websites. Triple that estimate for larger enterprises. Manual management significantly raises the risks associated with outages and misconfigurations due to the implementation or replacement of expired certificates. The business and security risks produce greater likelihood of compromise, or a security event (such as the Equifax breach).

Regardless of the outcome around this proposal, IT teams should take the announcement as an opportunity to pause and evaluate their internal management processes to assess their crypto and certificate management capabilities across public and private certificates.

Leaders can start with four key areas to get ahead of future process changes and large-scale certification changes:

1. Run an inventory. Start by understanding your certificate landscape. Identify every certificate within the organization and use cryptographic parameters to understand where certs have been deployed and what assets they secure.

2. Develop a certificate life-cycle plan. Standardize certificates to ensure that common workflows are followed when certificates are deployed. Standardization addresses audit questions focused on asset custody and other downstream issues that could affect compliance.

3. Adopt IT automation technology. Traditional manual certificate management processes aren't equipped to revoke and reissue certificates at scale. Introducing a single, automated platform provides complete visibility to every certificate, simplifying identification and replacement. (Note: Keyfactor is one of a number of companies that does this.).

4. Embrace crypto agility. Build a certificate inventory and life-cycle workflows to establish your crypto strategy and framework.

Standards changes like these are intended to improve overall security hygiene while hardening every point of the IT infrastructure. Ultimately these types of changes will continue to emerge to match evolving cyber-risk. IT leaders can prepare by ensuring the adoption of a crypto-agile strategy. That strategy includes the adoption of automation tools and proper certificate management that secures foundational infrastructure components, providing teams with a PKI "easy button" that helps them reduce and manage their risks.

Foundationally, the CA/Browser Forum standards open the door to a larger discussion around PKI and digital identities, providing IT leaders and budget owners incentive to invest in automation tools that lessen the burden on their IT teams and, more importantly, their business's operational and security risk.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Security Pros' Painless Guide to Machine Intelligence, AI, ML & DL."

Chris Hickman is the chief security officer at Keyfactor, a leading provider of secure digital identity management solutions. As a member of the senior management team, Chris is responsible for establishing and maintaining Keyfactor's leadership position as a world-class ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...