Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

9/11/2019
02:00 PM
Chris Hickman
Chris Hickman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Proposed Browser Security Guidelines Would Mean More Work for IT Teams

CA/Browser Forum wants SSL certificates to expire after a year. Many businesses that rely on them aren't equipped to cope.

For years, Secure Sockets Layer (SSL) certificates — a digital tool used to allow secure web connections between a web server and web browser — has been a baseline for a business's digital trust. The padlock icon and https forward that appear in the address bar are an easy way for website visitors to gauge whether the site they're visiting is "trusted."

Behind the scenes, SSL certificates, issued by certification authorities and approved/rejected by the big browser manufacturers, are updated and replaced every two years to ensure the certificates remain secure. This cycling is a process designed to ensure certificate authenticity and keep certificates current. SSL certificates are just one of a number of public and private certificates that IT teams manage on behalf of their business — across websites, devices, and software.

At the enterprise level, certificate management can be overwhelming. Highly skilled public key infrastructure (PKI) staff spend considerable time locating, revoking, and reissuing rolling certificates. For most businesses, this effort is time consuming, expensive, and managed manually with scarce resources, making certificate management prone to errors. Our research shows that 71% of businesses don't even know how many certificates they have — leaving them ill-equipped to revoke and reissue at scale.

Founded in 2005, the CA/Browser Forum is a group of certification authorities and browser makers (such as Google, Safari, and Firefox) that work together to design processes that ultimately help make the Internet safer. In August, the Forum and its members announced a proposal to reduce the length of time that SSL/TLS certificates can be used to protect web servers. This has created considerable discussion about the benefits of shortened certificate lifetimes versus the additional management overhead required by users of these certificates to rotate them more frequently.

We know that many of the standards that govern IT, like those being recommended by the CA/Browser Forum, are often designed with good intentions; however, the operational effects can be considerable. If these new standards are adopted, organizations will be forced to rotate certificates every year rather than every two years (as is today's practice), resulting in higher labor costs required to manage certificates. Certificate management continues to be a manual process for most businesses; a shortened lifespan means IT teams will have to invest twice the amount of time to manage rolling certificates, which produces at least a 2X outage and configuration misstep risk.

Per the proposal, the new standards would be effective March 2020, which doesn't give businesses much time to pivot. Collectively, digitization means that most businesses today manage thousands of public and private certificates, across systems, software, and websites. Triple that estimate for larger enterprises. Manual management significantly raises the risks associated with outages and misconfigurations due to the implementation or replacement of expired certificates. The business and security risks produce greater likelihood of compromise, or a security event (such as the Equifax breach).

Regardless of the outcome around this proposal, IT teams should take the announcement as an opportunity to pause and evaluate their internal management processes to assess their crypto and certificate management capabilities across public and private certificates.

Leaders can start with four key areas to get ahead of future process changes and large-scale certification changes:

1. Run an inventory. Start by understanding your certificate landscape. Identify every certificate within the organization and use cryptographic parameters to understand where certs have been deployed and what assets they secure.

2. Develop a certificate life-cycle plan. Standardize certificates to ensure that common workflows are followed when certificates are deployed. Standardization addresses audit questions focused on asset custody and other downstream issues that could affect compliance.

3. Adopt IT automation technology. Traditional manual certificate management processes aren't equipped to revoke and reissue certificates at scale. Introducing a single, automated platform provides complete visibility to every certificate, simplifying identification and replacement. (Note: Keyfactor is one of a number of companies that does this.).

4. Embrace crypto agility. Build a certificate inventory and life-cycle workflows to establish your crypto strategy and framework.

Standards changes like these are intended to improve overall security hygiene while hardening every point of the IT infrastructure. Ultimately these types of changes will continue to emerge to match evolving cyber-risk. IT leaders can prepare by ensuring the adoption of a crypto-agile strategy. That strategy includes the adoption of automation tools and proper certificate management that secures foundational infrastructure components, providing teams with a PKI "easy button" that helps them reduce and manage their risks.

Foundationally, the CA/Browser Forum standards open the door to a larger discussion around PKI and digital identities, providing IT leaders and budget owners incentive to invest in automation tools that lessen the burden on their IT teams and, more importantly, their business's operational and security risk.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Security Pros' Painless Guide to Machine Intelligence, AI, ML & DL."

Chris Hickman is the chief security officer at Keyfactor, a leading provider of secure digital identity management solutions. As a member of the senior management team, Chris is responsible for establishing and maintaining Keyfactor's leadership position as a world-class ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.