Skip to main content
banner image
venafi logo

Should the DoD Be Wary of Wildcard Certificates?

Should the DoD Be Wary of Wildcard Certificates?

wildcard certificates
September 13, 2018 | Guest Blogger: Eric Chabrow

Are wildcard certificates the answer to DoD authentication challenges: DoD agencies using certificates not trusted by major browsers?

Perhaps they could be, but wildcard certificates present their own challenges. More on that in a bit.

In May, U.S. Sen. Ron Wyden, D-Ore., wrote to Defense Chief Information Office Dana Deasy (see Senator Asks: Are All Doors Open at the DoD), that several DoD sites, including the Navy, Marines and the CIO office itself, had failed to secure connections with encryption or utilize authentication using a certificate issued by the DoD Root Certificate Authority. Such self-authentication isn’t as trustworthy as certificates issued by reputable certificate authorities. “The DoD cannot continue these insecure practices,” Wyden said.

Deasy says he expects processes to be in place to provide proper certificate authentication by the end of October. “The department is working hard to ensure DoD inspires trust among citizens and partners in its digital interactions across our missions, business and entitlement role,” Deasy said in a July 20 letter to Wyden. In an addendum, DoD says it will issue direction to implement commercially publicly trusted certificates on its public-facing sites and services by Oct. 31.

Wildcard certificates may, at first glance, seem to be a credible alternative to root certificate authority. They’re public key certificates used by all subdomains within a larger domain. Site operators can quickly secure countless subdomains, all encrypted by the same wildcard certificate.

But DoD should be careful not to replace one untrusted type of certificates technology with another. Although wildcard certificates may be incrementally more trusted than certificates issued by the DoD Root Certificate Authority, they have their own challenges, especially if their use is not carefully documented and controlled.

Wildcard certificate inventor George Parsons, senior director of security architects at Venafi, sees organizations overusing wildcard certificates. “Organizations clearly [are] not using best practice when they create a wildcard certificate using a singular key pair, so they can deploy it to 20, 30, 40 or even 2,000 or 3,000 servers,” Parsons told Scott Carter (see Conversations with the Inventor of Wildcard Certificates—Part 2: Beware of the Easy Button). “Wildcard certificates make that really easy, but it’s a huge exposure. Think about it; if you compromise just one of those private keys, you compromise the entire trust infrastructure for every one of those servers. But it’s easy. It’s the easy button and that’s pretty tempting.”

As we noted in a 2017 blog, Wildcard Certificates Make Encryption Easier, But Less Secure, cybercriminals can gain privileges that let them create unlimited subdomains if they hack into a domain. Subdomains created by cybercriminals will look valid because they’re authenticated by the domain owner’s wildcard certificate.

Imagine the phishing campaigns a cybercriminal could launch from illegitimate subdomains. Phishing site visitors likely won’t notice they’re at a phishing site. After all, their browsers established an HTTPS connection uses a legitimate wildcard certificate.

And websites such as Let’s Encrypt make it easier for cybercriminals to get free wildcard certificates. “What’s going to happen with free Let’s Encrypt wildcard certificates is that more and more people will use wildcard certificates for their entire domain (* without thinking about how easily these can be abused,” Parsons told Carter in a follow-up blog, Conversations with the Inventor of Wildcard Certificates—Part 3: The Risk of Exploit.

The bottom line: Don’t rely on wildcard certificates, or other types of certificates, unless they’re supported by systems that automate the entire key and certificate lifecycle and follow your approved policies and workflows. That’s solid advice for the DoD or any other enterprise.

Related posts

Like this blog? We think you will love this.
attaques de décapage ssl
Featured Blog

En quoi consistent les attaques SSL strip ?

  Un peu d'histoire

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Eric Chabrow
Guest Blogger: Eric Chabrow

Eric is a retired multimedia editor, writer and manager, with extensive experience in government, business and information. Founder of and, he produces the ISMG Security Report, a twice-weekly podcast that analyzes cybersecurity news and trends.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more