In earlier blog, I spoke with George Parsons, the inventor of wildcard certificates, about why he created them and how they may be overused. During that conversation, George mentioned that he is concerned that organizations may not be taking wildcard certificates seriously enough. He noted that many organizations may be unaware of the risks connected with hasty certificate deployment strategies as well as a couple of attack scenarios that you may not have thought about.
Here’s the final portion of my interview with George:
Unfortunately, I think what’s going to happen with free Let’s Encrypt wildcard certificates is that more and more people will use wildcard certificates for their entire domain (*.website.com) without thinking about how easily these can be abused.
You name it, I’ve seen it. I’ve seen administrators leaving .p12 files lying around, emailing them to colleagues or partners, or leaving them on FTP servers. I’ve also seen them dropped inside of orchestration software.
As an executive at Venafi, George feels obligated to mention that we offer a different kind of easy button. And by pushing it, you’ll actually become more secure. Venafi automates the entire key and certificate lifecycle. So, whether you choose to use wildcard or SAN certificates, we make it easy for you to automate the deployment of keys and certificates that follow your approved policies and workflows. This means you won’t have the additional overhead of manually provisioning certificates to their respective endpoints.