Venafi warns on lost business and brand reputational damage fall-out from recent Comodo certificate compromise
March 2011 by Venafi
Microsoft and others have issued warnings that nine digital certificates in active use by the likes of Google, Microsoft Live and Yahoo have been compromised means a breach of trust between the affected organisations and Internet users, says Venafi.
Jeff Hudson, CEO of the enterprise key and certificate management specialist Venafi, realised how bad the situation was when he heard the news and acknowledges the far-reaching consequences.
"Digital certificates are used as a signal to the Internet user that the site is trusted, but if the system that provides the trust is compromised, it effectively becomes close to worthless and unsecure. This saga, whatever its cause, is going to set back Internet users’ trust in Web sites," he said.
Hudson continued "Previously, one of the few ways that cybercriminals could fool users of high-profile and trusted Web sites was to stage an evil twin or man-in-the-middle style of attack. By using this approach, the hackers are hitting at the heart of the trust amongst users. That’s very dangerous," he added.
Digital certificates and encryption keys are a critical element in computer and online security, and are leveraged by organizations of all sizes and industries to protect data and authenticate connections. They’re the equivalent of a driver’s license in the virtual world, and help identify systems to each other electronically.
Based on information currently available, it appears several rogue certificates were successfully issued using the Comodo certificate authority (CA) signing key—the equivalent of issuing fake IDs. It appears the issue was isolated to a small number of inappropriately issued certificates, although at this point, not enough information is available to confirm that.
Lost business for the affected companies will be the result.
Hudson went on to say that the trust issue will also extend to business users of the affected sites, as—unlike a consumer or small business PCs web browser that warns about an expired certificate—enterprise systems do not distinguish where the certificate came from and provide no warning messages when there is a failure.
If there is a problem with the certificate or related keys, the systems or applications will simply stop working, without the businesses knowing what has happened - until their technical people get involved.
Because of these issues, this saga really is a big problem for the affected companies, says the Venafi CEO. While consumer trust can be rebuilt over time, businesses are very often completely turned off if a security compromise causes their systems to stop working. If you believe that the Comodo certificate spoof will be the last CA to be targeted or breached, the question is how can organisations best prepare for the eventuality of another Comodo-style breach or the need to quickly respond to a report of a forged certificate?
Simple, says Hudson. It all comes down to management of the certificates, the keys, and allied security systems. And it’s not just a technology issue. Companies also have to have best practices for the people and processes aspect of proper certificate and key management.
Without policy-based management capabilities in place, we believe we will continue to see high-profile problems like this, and not just in the consumer Internet sector, he explained.
In the results of a survey released earlier this month, Venafi found that 51 per cent of respondents said they had experienced either stolen or unaccounted-for digital certificates - or they were uncertain if their organisations had lost, stolen or unaccounted-for digital certificates in general. Organisations further describe the situation as one of unquantified and unmanaged risk.
What makes the digital certificate management process all the more difficult, says Hudson, is the sheer volume and diversity of encryption technologies and certificate authorities that IT managers now have to administer on a daily basis.
"Consistent reports from businesses show that the number of encryption assets in their inventories is growing rapidly, and scattered individuals and teams end up having to manage them," he said.
"And it’s against this backdrop that Venafi’s enterprise approach to digital certificate and enterprise key management has really begun to catch on across a wide range of industries. We’ve recently seen the biggest spike in growth in the firm’s history, and have generated interest from some of the world’s largest financial institutions", he added.
This incident confirms the reality that certificate authorities can be compromised, especially in light of the recent compromise at RSA Security, and points to tremendous security risks. Organizations need to be able to monitor, validate and replace their certificates and encryption keys quickly—in case of a compromise. However, many corporations and government organizations are not currently prepared for this kind of scenario.