Skip to main content
banner image
venafi logo

Examining the Impact of the OMB and Congress’ Moves to Add More Encryption and Address the CAs

Examining the Impact of the OMB and Congress’ Moves to Add More Encryption and Address the CAs

June 12, 2015 | Kevin Bocek

On the heels of the U.S government’s Office of Personnel Management (OPM) breach last week and other recent examples of cyber attacks involving the malicious use of keys and certificates, it's not that surprising to see two major developments this week to increase encryption use and improve website security in general.

This week, the U.S. Office of Management and Budget (OMB) announced it would require federal agencies to use HTTPS. A day later, House Energy & Commerce Committee sent letters to Apple, Microsoft, Google and Mozilla, asking them what they can do to limit or constrain certificate authorities (CAs) issuing certificates outside of their home domains. While they may seem unrelated, these two initiatives go hand in hand. 

While the intentions for more encryption are good (and ironically what Edward Snowden publically called for two years ago) to ensure the authenticity and privacy of federal websites, the OMB’s announcement to increase the use of HTTPS has significant gaps if not properly implemented with a system to protect the cryptographic keys and digital certificates. More encrypted traffic will require bad guys to use HTTPS and either forge or compromise certificates to mount effective attacks.

Image removed.

First, this means that all federal agencies must be inspecting inbound traffic for threats as they move toward 100 percent encryption. At this point, no traffic can go un-inspected because cybercriminals will hide there for months, even years, completely undetected (can anyone say Careto?).

Second, agencies must be prepared to detect the malicious use of forged, compromised, or fraudulent certificates across the Internet to stop spoofing and man-in-the-middle (MITM) attacks.

In its directive, OMB has yet to specify or mandate any type of key or certificate management system to ensure their proper care and protection. And there was no reference to or mention of the government’s NIST guidance issued two years ago for preparing for a CA compromise. That’s why it was interesting to see Congress’ letter to the browsers about limiting or constraining certain CAs.   

At Venafi, we've been saying for months that governments should be very concerned about who is trusted in our browsers and if we can trust that any website is secure. That's why we applauded Mozilla and Google for blocking CNNIC, the Chinese CA, back in April.

At this point, any CA in the world, through fraud or compromise, could issue malicious certificates for .gov domains (as well as .com and others). We need to be able to ensure that CAs cannot mis-issue certificates or issue malicious ones that might end up being used as a weapon against the U.S. or its allies. While Google Certificate Transparency (CT) helps it only covers the high-level extended validation (EV) certificates, and doesn’t help with compromise and misuse after issuance. This is why Certificate Reputation is becoming increasingly popular.

What the U.S. OMB and Congress have done is important, and are most certainly positive steps in the right direction, the reality is that now we're only going to have more encrypted traffic which makes the U.S. an even bigger target for cybercriminals who can hide and take on trusted status. In the meantime, without the ability to identify certificates, safely deliver them for use with SSL/TLS inspection, and detect and stop the misuse of certificates for governments and enterprises—we will remain extremely vulnerable to these types of attacks that are increasing at an alarming rate (remember CHS, Sony, Heartbleed, POODLE and Shellshock?). What are your thoughts on the U.S. government’s attempts to better secure government websites and web services?

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Kevin Bocek
Kevin Bocek

Kevin is Vice President of Security Strategy & Threat Intelligence at Venafi. He is recognized as a subject matter expert in threat detection, encryption, digital signatures, and key management, and has previously held positions at CipherCloud, PGP Corporation and Thales.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more