Amazon is getting into the certificate game.
The company announced late last week that it launched a certificate manager to expedite the process of securing SSL/TLS certificates for customers looking to add HTTPS to their sites or apps.
The move comes less than a year after Amazon applied to Mozilla and the Android Open Source Project to become a root Certificate Authority.
Jeff Barr, Chief Evangelist for Amazon Web Services, discussed the move in a blog post last week. Barr claims the manager will provision SSL certificates verified by Amazon’s certificate authority (CA) and Amazon Trust Services (ATS) for free. For the time being only customers who use Amazon Web Services Elastic Load Balancing or its content delivery network, Amazon CloudFront, can apply for certificates.
When it comes to upkeep, in addition to provisioning, Amazon will also handle the deployment, and renewal of the certs, Barr writes. In the future the company claims it will add support for additional AWS services and other types of domain validation. While it’s expected to be rolled out globally, the manager is currently only available in the “US East” region.
The move follows in the footsteps of the Let’s Encrypt initiative, a free certification authority that the Electronic Frontier Foundation, Mozilla, and a handful of other tech companies got off the ground last year.
The coalition’s goal was to do away with the trials and tribulations commonly associated with obtaining a certificate: the exorbitant costs, the technical difficulties that come with implementing it. The initiative entered public beta last month and unlike Amazon, allows anyone who runs a server to get a certificate and deploy HTTPS on their site.
Cloudflare rolled out a similar initiative a few years back, providing SSL certs to its customers and accepting HTTPS connections for most of their domains.
Some experts are warning Amazon’s foray into certificates could do more harm than good however.
As is the case with any Certificate Authority, there’s the chance Amazon-issued certs could ultimately be used to shield sites that are being used to carry out malvertising attacks.
Kevin Bocek, Vice President of Security Strategy & Threat Intelligence at Venafi, believes that it won’t be long until attackers begin using these new Amazon certs to disguise their attacks.
“What’s critically important here is that enterprises realize the risk of utilizing free certificates, which cybercriminals love to take advantage of,” Bocek said Tuesday. While the AWS certificates may be good for building quick apps, Bocek’s stance is that they won’t bring the level of enterprise-class security that some companies are looking for.
“Mark my words: it’s just a matter of time before we see cybercriminals leveraging these free AWS certificates to hide in encrypted traffic, masking themselves to go unnoticed while they steal sensitive data,” Bocek said.
Earlier this month attackers used a site signed with a Let’s Encrypt-issued certificate to protect a subdomain that was helping facilitate a malvertising campaign.
In that incident, attackers used “domain shadowing” to create subdomains under a legitimate domain. It’s the same technique that attackers behind the Angler Exploit Kit used last year to redirect victims to attack sites and host malicious payloads. Since Let’s Encrypt automatically protected traffic to the subdomain, it helped camouflage the attack.
Officials with Let’s Encrypt have already made it clear that they don’t believe CAs should be on the front lines when it comes to fighting phishing and malware.
Josh Aas, Executive Director of the Internet Security Research Group–the organization that oversees Let’s Encrypt, wrote last fall that he doesn’t believe CAs have “sufficient ongoing visibility into sites’ content,” and that they’re just not “positioned to operate anti-phishing and anti-malware operations.”
In Amazon Web Services’ Certificate Manager: User Guide (.PDF) – published last week – the company made it clear that it can fail requests for ACM certificates if the domain is believed to contain malware or phishing content, but it doesn’t state how active it will be when it comes to patrolling the sites it grants these free certificates to.