Pavel Ignatov - Fotolia
A Venafi Inc. survey conducted at the Black Hat conference in Las Vegas in August has uncovered a potentially troubling lack of understanding of cybersecurity risks around certificate authorities and IT professionals being unprepared for a breach of a major certificate authority.
Certificate authorities (CAs) issue digital certificates, which the SSL/TLS protocols rely on to provide authentication and encryption in secure information exchanges. But trust in CAs has been shaken due to abuse of fraudulent certificates, such as those leading to Google and Mozilla recently revoking certain Chinese TLS certificates.
Venafi surveyed over 300 IT professionals at Black Hat and found that 90% of respondents expect a major CA to be breached within the next two years. And, Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, based in Salt Lake City, said the expectation of a breach became more surprising when combined with other findings.
"If you think that 90% say a major CA will be compromised, you'd expect that they would then look to another authority in case of a breach," Bocek said. "What the respondents said was that, on median, that you've got three certificate authorities trusted on your iOS device. The current Apple list is over 240. So, that shows a huge disparity in knowledge of how many certificate authorities there are in the world, and, of course, if there were only three that would be a huge, huge concentrated risk."
Bocek said if IT pros expect a breach and think there are so few CAs, that would mean the damage of a breach would be much worse. But Venafi found that 6% would continue using the compromised certificates, and 24% of respondents didn't know what the plan to deal with a compromised CA would be.
Part of the problem, Bocek said, was that although most professionals -- 72% -- understood the cybersecurity risks of a CA breach, including man-in-the-middle attacks and replay attacks, Venafi also found that only 37% of respondents understood that certificate authorities cannot protect organizations from theft or forgery of digital certificates.
"This tells me that if that many people think we're going to have a CA compromise," Bocek said, "and if there was this uncertainty over response, but yet people get the risk, we probably then need to work on what we do as an industry when there is a breach with a certificate authority that we don't have a direct relationship with."
Bocek said there needs to be more education around security options, such as certificate pinning, because he believes the future will inevitably include more encryption and more certificates.
"If everyone used certificate pinning, that would lead to much less risk," Bocek said. "But, then also how do you respond and make decisions about what is trusted in browsers or operating systems that can be done more on scale?"
Bocek said that while there are more and more CAs in the world, there is still confusion over what exactly they can and can't do in terms of security.
"The goal of certificate authorities is to make sure they issue certificates to the right organization," Bocek said. "CAs can stop fraud on day zero when the certificate is issued, but once you get to day 57 and the certificate is in your hands, you are the one who is responsible. And, more often than not, that's when we see cybercriminals take actions to steal a certificate and later misuse it."
Bocek said there are proposals, such as Google's Certificate Transparency initiative, which calls for better monitoring and logging of certificates in order to help detect and respond to problems with certificate theft or forgeries, as well as CAs whose issuing policies have been abused. But right now, those initiatives only help with the "day zero" problems, not the "day 57" problems.
"There is a lot of data out there, so we know where certificates are supposed to be, but some servers aren't pinning," Bocek said. "Well, we know what certificates have been issued to what servers and so certificate reputation -- one of the benefits Certificate Transparency provides -- can be like pinning without the certificate actually being pinned. Certificate reputations being fed by Certificate Transparency and other sources could be one way to mitigate those risks."
Unfortunately, while Certificate Transparency could lead to new ways to automate pinning and make CA security more widespread, the technology isn't quite there yet.
Michael CobbCISSP-ISSAP and renowned security author
Michael Cobb, CISSP-ISSAP and renowned security author, said this is a troubling time where it is understood that CAs need better security controls, but there is no consensus on how to make those improvements a reality.
"The internet as a whole is fast becoming aware that certificate authorities and the Internet's reliance on the traditional certificates they issue is not a foolproof approach," Cobb said. "I think that we need the initiatives to improve things like certificate pinning. Unfortunately, I haven't seen anything yet that is the perfect answer."
According to Cobb, the issue right now is that there are too many players pushing their own ways to solve the problem, but none of them are being implemented across the board. He likened it to the VHS and Betamax battle, where it may not be the best product that wins, but the option that is marketed the best.
"People are finally realizing that it is broken, but they have been a bit wrong-footed on how to best try and fix it. None of these things are enforceable, and it takes a long time to become the default deployment of a particular approach to security," Cobb said. "I find it frustrating that there isn't a bit more coordination. It's no good having 80% covered and the other 20% aren't. Unless it is across the board, it's not going to be the perfect solution."