Skip to main content
banner image
venafi logo

Bracing for Certificate Upheaval: Lessons from the Google vs. Symantec Debate

Bracing for Certificate Upheaval: Lessons from the Google vs. Symantec Debate

google vs symantec
March 24, 2017 | Eva Hanscom

Yesterday, researchers affiliated with Google Chrome dropped a bombshell report on Symantec’s certificate practices. The report claims that the Symantec certificate authority (CA) mis-issued thousands of transport layer security (TLS) certificates. And as a result, Chrome will no longer trust current Symantec certificates. Symantec has already responded to Google’s claims, stating the report is “exaggerated and misleading.”

As the back and forth between Symantec and Google becomes more heated, organizations caught in the middle may face complicated consequences. However, this debate represents just the latest chapter in the already long drama of certificate management.

According to Kevin Bocek, chief security strategist for Venafi: “This is a giant wake-up call for every business. Most organizations don’t have the agility required to be able to move, add or change certificates, keys or CAs in response to external issues like this one. The best possible outcome is that businesses will realize they are going to have to figure out how to deal with these issues. The alternative is to be victimized by these events.”

Back in 2012, Paul Turner, Venafi’s CTO of server products, issued a step-by-step guide on how to develop an effective response plan for CA security incidents and compromises. Turner’s report was issued in conjunction with the National Institute of Standards and Technology’s Information Technology Laboratory. Although this guide is nearly five years old, it still offers excellent direction on how to face current certificate disputes, including the issues brought up in Google and Symantec’s debate.

As Turner writes: “Because organizations so broadly rely upon TLS and SSL to secure systems and data, a CA compromise may require the replacement of end entity certificates, trusted root certificates, or both on hundreds or thousands of systems. To ensure that they can respond in a timely manner, organizations must take preparatory steps and establish well-defined response plans for CA security incidents.”

First and foremost, Turner recommends organizations review and identify all the applications and servers that rely on certificates for security. In addition, it must be noted which of these systems have end entity certificates of their own, or accept public key certificates from other users or servers. For many applications and servers, these conditions are not mutually exclusive. However, many systems may require a different baseline of security practices depending on their set up.

If a certificate compromise occurs, Turner recommends organizations take the following steps

  1. Ensure that certificates issued to the organization’s systems or users from the compromised CA are revoked.
  2. Notify all owners of the affected certificates about the CA compromise and establish a point of contact or helpdesk for responding to questions and providing guidance and instructions.
  3. Replace all certificates from the compromised CA with new certificates from a different CA.
  4. Ensure that all relying parties have the certificate trust chains required to validate certificates from the new CA.
  5. Ensure that revocation checking is enabled on all relying party systems.

Bottom line: every organization must be prepared to automate widespread key and certificate management, and they need this ability sooner rather than later. “The number of interconnected machines on networks is growing at a furious pace, which means the use of keys and certificates is increasing at the same rate,” continues Bocek. “Yet, most businesses don’t have any automation in place to help them manage these critical security assets.”

Find out how well your organization is prepared to handle a CA compromise. Read Paul Turner’s NIST CA Compromise Guide

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

man sitting on chair and thinking

Venafi Study: Are Financial Service Organizations More Likely to Suffer Certificate-Related Outages?

accessec, APIIDA, Crypto4A, Difenda

Six Groundbreaking Machine Identity Protection Developers Gain Funding

code signing certificates, Code Signing, Stuxnet, ShadowHammer

Study: How Well Are You Protecting Code Signing Certificates?

About the author

Eva Hanscom
Eva Hanscom

Eva Hanscom writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat