More Venafi 2017 Predictions: SHA-1 Outages, DevOps and Government Surveillance
December 19, 2016|Kevin Bocek
Last week I outlined the first five Venafi predictions for 2017. Before I move on the the next five, I’ll set the stage with a reminder of what we’ve already predicted:
As Certificate Authorities are pushed to do more and go faster, they will make more mistakes
IoT ransomware will become one of the cybercriminal’s attack vectors of choice.
IoT manufacturers will take code signing more seriously.
The number publicly trusted free certificates issued will outnumber those are paid for.
2017 will see the first approved use of Let’s Encrypt or other free services within the Fortune 500.
Now on to the next five predictions.
At least one CA will fail to comply with Google’s requirement that every CA publish a transparency log.
CAs with unscrupulous business practices—like WoSign and StartCom—may refuse to comply with Google’s transparency requirements. With the rising tide of anti-Google sentiment, it would not be surprising to see CAs start to push back against browser maker requirements.
The next year will bring competing approaches to certificate transparency.
CAs will begin to be ranked by their user community as organizations look for ways to determine who to trust. Some security vendors will lose customers, revenue and overall credibility because they cannot see attackers lurking in encrypted traffic; while other vendors will introduce new solutions to address this concern.
There will be a major outage or attack related to the SHA-1 hashing algorithm.
As we approach the SHA-1 deprecation deadline, many organizations have yet to complete their migration to SHA-2. For the owners of the more than 1.5 million SHA-1 digital certificates issued since December 2013, failing to migrate could have serious consequences. Outdated websites could become unusable, damaging brand credibility and draining resources. As a result, vulnerable sites could fall victim to cyber attacks.
At least one Western government will replicate the Russian style of mandating citizens to hand over keys and certificates.
In an effort to combat terrorism and expand surveillance, at least one Western government will follow Russia’s lead and mandate access to encryption keys and certificates. The potential impact of these decisions can’t be overstated—widespread government access to encrypted communications has the potential to demolish Internet privacy and devastate security.
In the U.S. we’ve seen court orders to compel Apple to subvert iPhone’s security controls. In the UK the Snooper’s Charter seeks to extend law enforcement powers to gain access to encryption keys and introduce encryption backdoors. Encryption is the back bone of secure and private communications on the Internet. It protects online banking, shopping, all manner of consumer services that our economy and critical infrastructure rely on.
It’s hard to overstate the impact of these decisions; once we allow governments universal access to encryption the likelihood of abuse and misuse skyrockets. It’s time to stand up against governments efforts to hijack privacy and trust online.
2017 will be the year of DevOpsSec.
In 2017 at least half of DevOps teams in the Global 5000 will assign one or more team members to focus on making sure security is fast, easy and built-in to every project. For example, while teams have been making sure every container uses HTTPS encryption and digital certificates, no one has been focused on how these powerful security controls are integrated into DevOps and Fast IT projects. The idea that security can be about going fast and safe may prove shocking to hardcore DevOps teams accustomed to flying below the corporate radar!
Like this blog? We think you will love this.
Supply Chain Attack Targets Mimecast Digital Certificates
CIO Study: Certificate-Related Outages Continue to Plague Organizations
Machine Identity Protection for Dummies
About the author
Kevin is Vice President of Security Strategy & Threat Intelligence at Venafi. He is recognized as a subject matter expert in threat detection, encryption, digital signatures, and key management, and has previously held positions at CipherCloud, PGP Corporation and Thales.