Attacks within the certificate infrastructure are due to mismanagement rather than attacks on certificate authorities (CAs).
Speaking at the Infosecurity Europe 2013 press conference in London, Calum MacLeod, EMEA director of Venafi, said that organisations are managing keys and certificates poorly, leading to a lack of knowledge of how many certificates users have, specifically SSL certificates.
MacLeod said: “Forget keys and certificates, this has become the prime component of every piece of malware and anti-virus is no longer able to tackle this. Anti-virus is no longer able to help address this problem, and the market for stolen certificates is $5 billion.”
He claimed that with over 1,600 CAs issuing certificates, why would one CA be trusted over another? “The problem is not with the technology, it is the mismanagement of the technology. For all we hear about, there is a lot more we don't hear about,” he said.
“Companies switch on SSL by default, but users don't manage it, so it is difficult to control. By signing malware with digital certificates, there is a greater chance of success. As part of your security strategy you need to protect yourself; a firewall is there to block a connection, but now malware is there so need to protect against digitally signed malware.”
He said that with hackers attacking at the weakest point, that is now certificates, and they have financial value, yet many organisations have no idea where their SSL certificates are.
He said: “Not a single one can tell you where they are. It is black magic, it is weird so don't do it. There can be weak points such as infrastructure or certificates – also CAs are unregulated and you don't know which [company is] issuing the certificates. You can talk to anyone, they don't know how many they have got or when they expire. What length of encryption key is being used? Anything less than 2,048 bits is hackable.”
MacLeod claimed that businesses need to take responsibility as there is no need to trust any one of the 1,600 CAs globally, but you need to trust your own infrastructure. “If you don't use them, you don't need to trust them, so narrow down to a few. We build defences and those that attack us find the back doors and if we don't respond, they just walk in,” he said.
Asked by SC Magazine if he felt that the DigiNotar incident was a watershed moment when it came to CA security, he said that this was the first instance of being out of control, but before that there had been VeriSign and Comodo, while with Stuxnet, there was a question of a stolen certificate. He said: “DigiNotar raised the issue of the problem. Like insurance, it takes one thing to realise it is a serious issue.”