Marty Milbert at Venafi looks into what happens when a certificate authority is compromised, and discusses how machine-to-machine connections can become victims of risk when organisations fail to understand machine identities.
Today there are more than 350 million internet domains and over 1.8 billion websites. By 2025, analysts believe there could also be 41.6 billion IoT devices, all connected to the internet. Each and every one of these machines – websites, applications and IoT devices – has an individual identity, or ‘machine identity’, which is verified using digital keys and certificates and forms the basis of trust on the internet. For example, website communications are secured using TLS/HTTPS to establish trust for domain names and authenticate them server side.
Each machine identity is signed by a Certificate Authority (CA) and is only valid for a specific duration. However, sometimes these identities will need to be revoked well before their renewal date. While this is still rare there are a number of scenarios where a certificate will be revoked; from a vulnerability being discovered, to human error or a CA being compromised or attacked by a malicious actor. If a CA is compromised this can result in the issuance of rogue certificates or valid certificates ending up in the hands of the bad guys.
The cyber security consequences of compromise
Certificate authority compromises can have devastating impacts as forged or fraudulent certificates can allow attackers to perform man-in-the-middle (MiTM) attacks to eavesdrop on private communications. The impacts can also be much more damaging if intermediate certificates are misused, as they can allow attackers to act as their own certificate authority and issue fraudulent certificates for virtually any site.
These are not new problems and have repeatedly occurred throughout the last decade. One of the most well-known is the DigiNotar hack in 2011, in which an intruder was able to gain access to all eight of DigiNotar’s certificate-issuing servers and tricked its systems into issuing more than 500 fraudulent certificates for companies including Google and Mozilla. This enabled the attackers to launch a large-scale man-in-the-middle attack against Gmail users in Iran using a valid wildcard certificate.
Since 2011, there has been at least a further 15 publicly known certificate authority errors. Most notably, in 2018, Symantec, after a series of failures (including allowing unauthorised access to CA resources and a lack of audits) was distrusted by Google. This meant that sites with Symantec’s certificates would no longer be accessible on Chrome. Then, just this year, DigiCert had to revoke 50,000 certificates due to an internal process error.
When CAs are compromised like this a fast response time from an impacted enterprise is critical, as the slower the response the more potential damage to an organisation. Furthermore, the CA itself will revoke impacted certificates meaning they will no longer work, typically within a matter of days. Enterprises are notified of revocation through their certificate authority dashboard and then need to identify where these certificates have been used and replace accordingly. Many companies still opt to manage this manually, yet in the time available this is an almost impossible task; on average, companies have more than 57,000 TLS machine identities they aren’t even aware of. So, just tracking down where the certificate was used and how many times can be time consuming and bulk replacement is unfeasible.
How can organisations mitigate the cyber risk?
CA compromises are not going away, and organisations are continuing to see an explosive growth of machines as well as an increased reliance on encryption. To cope with the increasing volume of machine identities, organisations need an automated machine identity management solution in place so they can have full visibility into their certificates. This solution should involve automating the rotation, replacement and revocation of all machine identities and enforcing consistent security policies across all CAs.
Browsers are also taking action help prevent the damage that can be caused by a CA compromise. Most recently by reducing certificate lifetimes to 398 days on September 1st, 2020, from the previous 825 days. This move was led by Apple to help improve the security of the certificate ecosystem. However, if organisations don’t manage their machine identities effectively and lack the automation capabilities necessary to replace certificates with short lifespans at machine scale and speed, they are likely to see sharp increases in outages caused by unexpected certificate expirations, which can shut down business critical processes.
Organisations must be proactive in their management of machine identities so that they can quickly switch out certificates, or certificate authorities entirely in the face of a compromise.
Marty Milbert is Senior Director, Global Security Architects at Venafi.
Main image courtesy of iStockPhoto