Skip to main content
banner image
venafi logo

Symantec: If You Can’t Trust Your Certificate Authority, Who Can You Trust?

Symantec: If You Can’t Trust Your Certificate Authority, Who Can You Trust?

January 23, 2017 | Scott Carter

Despite previous warnings from Google, it appears that Symantec has once again been issuing unvalidated Transport Layer Security (TLS) certificates. On Thursday, security researcher Andrew Ayer uncovered 108 credentials that violated strict industry guidelines—all issued by Symantec-owned certificate authorities (CAs). Even when quickly revoked, Ars Technica reports that these improperly issued certificates have the potential to be misused until they are blacklisted by browsers. Unfortunately, the blacklisting process does not happen in real time, and it’s certainly not automatic. 

This most recent Symantec incident reminds us to consider again how much we actually trust CAs. Every bad certificate erodes digital trust. And the ramifications of undermining this trust will continue to escalate with our growing reliance on encryption. Venafi VP of security strategy Kevin Bocek gazes into that troubling future, “We’ve seen a number of CAs, including WoSign and GlobalSign making errors over the past year, and we should expect to see this trend continue.” 

So, what do we do about it? Sitting around waiting for an independent researcher to uncover poorly issued certificates isn’t the best plan. To ensure your status as a trusted organization, you need to take matters into your own hands. You need to maintain rigid control of your encryption assets. You need to be prepared to define your own terms of trust. And you need to enforce them. No one else can do this for you.

According to Bocek, “The troubling trend of breaches and errors at CAs should serve as a wakeup call for all businesses -- to protect themselves and their customers every organization needs to be able to quickly, detect unauthorized certificates issued by any CA and remove or replace it.”

The faster you can mitigate a CA error, the less security risk. However, without an alternate destination, speed means nothing. Having a trusted relationship with multiple CAs will give you the available track you need to move quickly. Bocek advises, “It’s also crucial for businesses to have a plan that does not leave them at the mercy of any one CA. They need to be agile enough to remove, change or add a CA at a moment’s notice and the only way to accomplish this is with automation.”

As Bocek notes, there is another component of speed. Reaction time. The very process of locating risky certificates, revoking them, requesting replacements, then installing and validating new certificates can be rather lengthy. Try to do this manually on a large scale and you’ll quickly become overwhelmed. Automating the process, on the other hand, will help you ensure speed and accuracy.

CAs give you the raw material for trust. But it’s up to you to manipulate and control that trust in a way that best defends your organization. Or it will break. “Businesses that are unprepared to detect and respond to CA errors threaten the integrity of encrypted and authenticated Internet traffic,” concludes Bocek.

How quickly can you detect and replace risky certificates across your organization?  

Like this blog? We think you will love this.
Featured Blog

How DoS/DDoS Attacks Impact Machine Identity, Digital Certificates

For safe and secure utilization of machine identities such as SSL/TLS cer

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more