Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


02:00 PM
Chris Hickman
Chris Hickman
Connect Directly
E-Mail vvv

Proposed Browser Security Guidelines Would Mean More Work for IT Teams

CA/Browser Forum wants SSL certificates to expire after a year. Many businesses that rely on them aren't equipped to cope.

For years, Secure Sockets Layer (SSL) certificates — a digital tool used to allow secure web connections between a web server and web browser — has been a baseline for a business's digital trust. The padlock icon and https forward that appear in the address bar are an easy way for website visitors to gauge whether the site they're visiting is "trusted."

Behind the scenes, SSL certificates, issued by certification authorities and approved/rejected by the big browser manufacturers, are updated and replaced every two years to ensure the certificates remain secure. This cycling is a process designed to ensure certificate authenticity and keep certificates current. SSL certificates are just one of a number of public and private certificates that IT teams manage on behalf of their business — across websites, devices, and software.

At the enterprise level, certificate management can be overwhelming. Highly skilled public key infrastructure (PKI) staff spend considerable time locating, revoking, and reissuing rolling certificates. For most businesses, this effort is time consuming, expensive, and managed manually with scarce resources, making certificate management prone to errors. Our research shows that 71% of businesses don't even know how many certificates they have — leaving them ill-equipped to revoke and reissue at scale.

Founded in 2005, the CA/Browser Forum is a group of certification authorities and browser makers (such as Google, Safari, and Firefox) that work together to design processes that ultimately help make the Internet safer. In August, the Forum and its members announced a proposal to reduce the length of time that SSL/TLS certificates can be used to protect web servers. This has created considerable discussion about the benefits of shortened certificate lifetimes versus the additional management overhead required by users of these certificates to rotate them more frequently.

We know that many of the standards that govern IT, like those being recommended by the CA/Browser Forum, are often designed with good intentions; however, the operational effects can be considerable. If these new standards are adopted, organizations will be forced to rotate certificates every year rather than every two years (as is today's practice), resulting in higher labor costs required to manage certificates. Certificate management continues to be a manual process for most businesses; a shortened lifespan means IT teams will have to invest twice the amount of time to manage rolling certificates, which produces at least a 2X outage and configuration misstep risk.

Per the proposal, the new standards would be effective March 2020, which doesn't give businesses much time to pivot. Collectively, digitization means that most businesses today manage thousands of public and private certificates, across systems, software, and websites. Triple that estimate for larger enterprises. Manual management significantly raises the risks associated with outages and misconfigurations due to the implementation or replacement of expired certificates. The business and security risks produce greater likelihood of compromise, or a security event (such as the Equifax breach).

Regardless of the outcome around this proposal, IT teams should take the announcement as an opportunity to pause and evaluate their internal management processes to assess their crypto and certificate management capabilities across public and private certificates.

Leaders can start with four key areas to get ahead of future process changes and large-scale certification changes:

1. Run an inventory. Start by understanding your certificate landscape. Identify every certificate within the organization and use cryptographic parameters to understand where certs have been deployed and what assets they secure.

2. Develop a certificate life-cycle plan. Standardize certificates to ensure that common workflows are followed when certificates are deployed. Standardization addresses audit questions focused on asset custody and other downstream issues that could affect compliance.

3. Adopt IT automation technology. Traditional manual certificate management processes aren't equipped to revoke and reissue certificates at scale. Introducing a single, automated platform provides complete visibility to every certificate, simplifying identification and replacement. (Note: Keyfactor is one of a number of companies that does this.).

4. Embrace crypto agility. Build a certificate inventory and life-cycle workflows to establish your crypto strategy and framework.

Standards changes like these are intended to improve overall security hygiene while hardening every point of the IT infrastructure. Ultimately these types of changes will continue to emerge to match evolving cyber-risk. IT leaders can prepare by ensuring the adoption of a crypto-agile strategy. That strategy includes the adoption of automation tools and proper certificate management that secures foundational infrastructure components, providing teams with a PKI "easy button" that helps them reduce and manage their risks.

Foundationally, the CA/Browser Forum standards open the door to a larger discussion around PKI and digital identities, providing IT leaders and budget owners incentive to invest in automation tools that lessen the burden on their IT teams and, more importantly, their business's operational and security risk.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Security Pros' Painless Guide to Machine Intelligence, AI, ML & DL."

Chris Hickman is the chief security officer at Keyfactor, a leading provider of secure digital identity management solutions. As a member of the senior management team, Chris is responsible for establishing and maintaining Keyfactor's leadership position as a world-class ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-12
Receita Federal IRPF 2021 1.7 allows a man-in-the-middle attack against the update feature.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.