The high profile compromise of Comodo, a Certificate Authority, has raised the spectre of a security compromise in one of the Internet’s few security pillars: SSL (Secure Sockets Layer) encryption that secures a dizzying array of Internet- and Web based transactions.
With news that forged SSL certificates had been issued for some of the Web’s top domains, enterprises are in the difficult position of having to migrate away from Comodo – a top CA that has now put enterprises in the difficult position of having to cross their fingers by trusting certificates from a CA that has admitted to a serious security breach, or migrating their certificates to a new CA.
According to Paul Turner, the vice president of product and customer solutions at Venafi, however, most organizations have only a cursory understanding of their own certificate infrastructure to begin with. Blacklisting a major CA or switching, wholesale, to a new CA may require hundreds of hours of work.
If you believe that Comodo won’t be the last CA to be targeted or breached, the question is ‘how can my employer best prepare for the eventuality of another Comodo-style breach or the need to quickly respond to a report of a forged certificate?” Turner at Venafi recommends the following tips on securing your enterprise’s certificate infrastructure:
- Document certificate ownership information. when the certs hit the fan, so to speak, you need to know where your certificates are and who to contact if you need to revoke them. Remember: this might not be 10:00AM on a Monday – it could be 2:00AM on Saturday. You’ll be better off a consolidated list of the affected certificates and emergency contact information so your response to a breach isn’t hampered.
- Have a plan. Turner of Venafi says that one big problem with the certificate management system is that even sophisticated IT staff often don’t have a strong grasp of how certificates work and what to do in an emergency. Having a clearly written plan and methodology for being able to respond to emergencies can save lots of time. Ideally, your organization has a means for quickly replacing affected certificates or switching, wholesale, from a compromised CA to another, secure one. Alas, most enterprises don’t have tools for automated certificate discovery and management. All the more reason to have a plan in place in advance, even if it calls for manual replacement of your certificates.
- Be able to document what you’ve done. With regulations like the Payment Card Industry Data Security Standard (PCI DSS) looming over enterprises of all stripes, you may be asked to show an auditor – external or internal – exactly how you responded and what changes were made. This might include documentation of how many certificates you had from an affected CA and on what IT assets, what their key length was, where they were located and how they were disposed of.
- Ask tough questions. Enterprises might spend considerable resources vetting the various options for their mail server- or anti malware vendors, but hardly give a thought to their CA. The Comodo compromise suggests that enterprises would do well to ask tough questions before forging a business relationship with a particular CA. CAs offering extended validation certificates provide the highest degree of trust around the organizations seeking a cert, but any CA should be able to respond intelligently to questions about their certificate and issuance and identification practices. In light of the COMODO hack its also worth asking about the Registration Authorities and other subsidiary organizations the CA trusts: how closely are they vetted? A chain (of trust) is only as strong as its weakest link, as the Comodo breach indicates.
- Know where your certificates are: Most enterprises don’t have an
inventory of the various SSL certificates and private keys they use.
Step 1 in developing a clear response plan for breaches like the one at
Comodo is to do an enterprise-wide certificate inventory. This will
include obvious locations like Web servers outside your corporate
firewall, but also devices behind the firewall including application
servers, routers and even endpoints. Vendors like Venafi and Netcraft
can help with automated discovery tools…for a price. Otherwise, much
of this process may rely on “sneakernet” and manually discovery.