Venafi praises industry players on their handling of the latest CA security issues
November 2011 by Venafi
Commenting on reports that Microsoft and Mozilla have withdrawn trust in Digicert Malaysia, Venafi praised both companies for their prompt action, and added that lessons have clearly been learned from previous certificate authority (CA) compromises and security management failures.
According to Jeff Hudson, CEO of enterprise key and certificate management (EKCM) specialist Venafi, while the move by the two IT majors has been prompt, it has still not stopped certificates from the Malaysian intermediate CA (not to be confused with DigiCert in the US) from reportedly being used to sign malware as part of a spear phishing attack against another Asian certificate authority (http://bit.ly/tyXMzw).
"Never in the history of the security industry has something that’s happened once not happened again. With Digicert Malaysia joining the ranks of other CA failures, businesses and browser manufactures alike need to move past the shock and begin formulating recovery and business continuity plans. There will be more CA breaches in the future, and more users, companies and governments agencies will be impacted if the affected organizations don’t have actionable, recovery plans in place," Hudson said. "The fact is that CAs are a very juicy, high-value target."
"It’s very easy to be critical of the Malaysian intermediate CA, but we don’t know the full facts surrounding the case, and until we do, I don’t think it is fair to speculate on the reasons - and possible failures - surrounding this latest CA problem. However, in spite of prompt action by Firefox and Microsoft, the challenge of ensuring that the Malaysian CA is now removed from all trust stores is going to be very time consuming and troublesome without effective certificate management tools," he added.
The Venafi CEO went on to say that revocation was inevitable after it was discovered that the Digicert Malaysia CA has apparently issued 22 certificates with worst-practice and weak 512-bit encryption keys as well as missing certificate extensions and revocation information. "In their case, they were not following industry best practices around acceptable encryption key strengths," he said. "Without an automated platform and discovery engine, it will be very difficult for organizations to locate and replace all the affected Digicert Malaysia certificates."
"To me," he explained, "this sounds like sloppy administration and a weak approach to audit procedures, but this won’t be the first - and probably won’t be the last - time that these governance and procedural failures have potentially sunk a business that relies on third-party trust providers for its operations."
SSL and PKI remain solid and reliable technologies. That does not mean that enterprises can relax. They need to be aware that any individual third-party trust provider, like a CA, can be compromised. These are known risks. And, known risks require solid, well-conceived contingency plans." Hudson added.