Skip to main content
banner image
venafi logo

Symantec: If You Can’t Trust Your Certificate Authority, Who Can You Trust?

Symantec: If You Can’t Trust Your Certificate Authority, Who Can You Trust?

January 23, 2017 | Scott Carter

Despite previous warnings from Google, it appears that Symantec has once again been issuing unvalidated Transport Layer Security (TLS) certificates. On Thursday, security researcher Andrew Ayer uncovered 108 credentials that violated strict industry guidelines—all issued by Symantec-owned certificate authorities (CAs). Even when quickly revoked, Ars Technica reports that these improperly issued certificates have the potential to be misused until they are blacklisted by browsers. Unfortunately, the blacklisting process does not happen in real time, and it’s certainly not automatic. 

This most recent Symantec incident reminds us to consider again how much we actually trust CAs. Every bad certificate erodes digital trust. And the ramifications of undermining this trust will continue to escalate with our growing reliance on encryption. Venafi VP of security strategy Kevin Bocek gazes into that troubling future, “We’ve seen a number of CAs, including WoSign and GlobalSign making errors over the past year, and we should expect to see this trend continue.” 

So, what do we do about it? Sitting around waiting for an independent researcher to uncover poorly issued certificates isn’t the best plan. To ensure your status as a trusted organization, you need to take matters into your own hands. You need to maintain rigid control of your encryption assets. You need to be prepared to define your own terms of trust. And you need to enforce them. No one else can do this for you.

According to Bocek, “The troubling trend of breaches and errors at CAs should serve as a wakeup call for all businesses -- to protect themselves and their customers every organization needs to be able to quickly, detect unauthorized certificates issued by any CA and remove or replace it.”

The faster you can mitigate a CA error, the less security risk. However, without an alternate destination, speed means nothing. Having a trusted relationship with multiple CAs will give you the available track you need to move quickly. Bocek advises, “It’s also crucial for businesses to have a plan that does not leave them at the mercy of any one CA. They need to be agile enough to remove, change or add a CA at a moment’s notice and the only way to accomplish this is with automation.”

As Bocek notes, there is another component of speed. Reaction time. The very process of locating risky certificates, revoking them, requesting replacements, then installing and validating new certificates can be rather lengthy. Try to do this manually on a large scale and you’ll quickly become overwhelmed. Automating the process, on the other hand, will help you ensure speed and accuracy.

CAs give you the raw material for trust. But it’s up to you to manipulate and control that trust in a way that best defends your organization. Or it will break. “Businesses that are unprepared to detect and respond to CA errors threaten the integrity of encrypted and authenticated Internet traffic,” concludes Bocek.

How quickly can you detect and replace risky certificates across your organization?  

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat