Security pros failing to check rampant misuse of digital certificates

News by Tom Reeve

While acknowledging threats from digital certificates, many security professionals are failing to get to grips with the problem, claims Venafi in a new report.

Despite knowing the risks, IT security professionals aren't doing anything about the rampant misuse of keys and certificates let alone the problem of untrusted certificate authorities.

That's the message of Venafi's latest report, based on a survey of professionals at Black Hat USA 2015.

Venafi found worrying deficiencies in awareness and the ability to respond to attacks that use certificates in its survey of 300 delegates at the annual conference which was held in Las Vegas, 1 to 6 August.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told that the most worrying aspect of the survey was that only a few of those surveyed appreciated the level of risk around certificate authorities, the bodies responsible for issuing and verifying the authenticity of digital certificates.

Asked if they were concerned that a certificate authority (CA) would be breached in the near future, 90 percent of delegates said  yes. But when it came to how they would respond to such a breach, it was revealed that 74 percent took no action following the news in April that the official Chinese government CA, CNNIC, was no longer trusted by Google and Mozilla due to untrustworthy certificate issuance practices.

CNNIC and MCS Holdings, to which it had delegated the authority to issue certificates, protested their innocence, but Bocek feels that IT professionals should have responded by removing CNNIC from their whitelist of trusted CAs, something which only 26 percent of those surveyed did.

In another disturbing finding of the survey, it came to light that 63 percent of the people surveyed wrongly believed that CAs secure certificates and cryptographic keys, rather than simply issuing certificates and authenticating them upon request.

Kevin Bocek, VenafiThe problem of untrustworthy certificates has come to the fore recently with demonstrations of what happens when certificates go wrong. GM's OnStar RemoteLink system for instance required a certificate and would always say it was valid, leading Bocek (pictured right) to comment that many of the new players in the IT industry, who are rapidly embedding network capabilities in their devices, don't understand even how to authenticate a certificate.

And in another incident, the Dutch government was unable to secure its website when the CA, DigiNotar, was breached.

Despite high profile breaches of CAs, only a quarter of IT professionals appear to be taking steps to mitigate the impact while the rest “continue to trust CAs blindly that pose a great threat to their organisation and can steal sensitive information,” Bocek said.

Meanwhile, Bocek said, “The bad guys are trained to think, how can we use something you trust against you?”

So, overall the results of the survey didn't surprise him, he added. “It's about what we expected,” he said. “When I work with security professionals,  I'm constantly reminded that there's a lot they have to deal with, but there's no doubt that certificates are increasingly important.”

One of the key steps to getting to grips with digital certificates in your organisation is understanding which CAs have issued your thousands of certificates. Bocek said that many organisations mistakenly think they only use a couple of CAs but in truth it's usually in the dozens.

When a CA is discovered to be untrustworthy, the first step should be to remove that CA from the list of trusted CAs on browsers and network appliances. You should also have a process in place for migrating certificates from untrusted to trusted  CAs.

The issue of certificates is only growing in importance as more and more websites begin using SSL/TSL encryption as standard. “Five years ago these issues weren't even on the radar,” Bocek said. “So the question becomes, what are you going to do about it now?”

It's also essential to implement a compromise recovery plan and then spend time on developing it, he added. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews