Skip to main content
banner image
venafi logo

GlobalSign—Are You Prepared to React Quickly When Good Certificates Go Bad?

GlobalSign—Are You Prepared to React Quickly When Good Certificates Go Bad?

generic_blog_banner_image
November 7, 2016 | Scott Carter

As encryption becomes more ubiquitous, organizations should prepare to react quickly to an increasing number of disruptive events, such as the recent GlobalSign SNAFU. A simple error in root certificate maintenance at GlobalSign last week left organizations everywhere asking, “What happened?” Very quickly, they were also asking “What can I do?” when thousands of sites were identified as insecure and became untrusted. 

Even after GlobalSign issued intermediate certificates to rectify the problem, cached certificates could not be updated for up to four days. That’s a long time for a commercial website to be inaccessible to users.

In an article in InfoSecurity Magazine, Venafi Chief Strategy Officer Kevin Bocek talks about the impact of just one disruptive event. “It’s hard to know how many companies have been impacted, but with GlobalSign boasting over 25 million certificates rely on the public trust of the GlobalSign root CA certificate, the impact is undoubtedly huge.”

But the fix is surprisingly huge as well. Before organizations can remediate certificates that have been impacted, they need to identify them, isolate them and, finally, reissue them. Sounds simple, right? But this proves to be more difficult than many organizations anticipate. Most organizations do not have a response plan for an outage of this scale; especially one that originates with a trusted authority

In a world where most large organizations rely on multiple CAs in different regions or departments, they often lack the level of visibility required to make a smooth transition from one CA to another. In Dark Reading, Bocek highlights the questions that may have puzzled many organizations. “Do security operations teams know they use GlobalSign? Do they know where the servers that use GlobalSign certificates are located? Do they know how to add new CA certificates to application trust stores?”

The longer it takes to get the answers to these questions, the more revenue will be lost. Bocek estimates that revenue loss and reputational damage for the businesses affected may run into the millions of dollars.

Because of the potential fiscal impact, it’s important that businesses are adequately prepared to take immediate action when a problem arises. “Businesses must have an automated back-up plan – they cannot be at the mercy of any one CA,” advises Bocek in ComputerWeekly.com. He continues, “These types of issues will continue to happen but, when they do, firms need to be able to take control and immediately and automatically change out affected certificates.”

Was this an isolated event? Bocek responds, “The reality is that failures such as this and breaches involving certificates are becoming more frequent – not surprising, since the world is becoming encrypted. The impact though is completely unacceptable – you can’t have your site being untrusted or taken offline for days on end.”

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat