Last year, researchers affiliated with Google decided that Symantec, and their affiliated CAs, had mis-issued thousands of Transport Layer Security (TLS) certificates. As a result, Chrome researchers announced a formal plan to remove trust from Symantec-issued certificates. The first deadline is April 17th, when Chrome 66 and Mozilla will distrust Symantec TLS certificates issued prior to June 1, 2016.
Unfortunately, security events are not uncommon in the CA industry. There are many reasons why organizations need the ability to rapidly switch CAs.
“CAs have a very difficult job and they deal with many complexities that are outside their control,” says Mike Dodson, global head of security architects for Venafi. “Every CA is exposed to risks; and CA compromises and errors can leave organizations scrambling to find and replace many certificates in a short amount of time.”
Venafi recently conducted a study to see how prepared organizations are when responding to Certificate Authority (CA) errors and browser distrust events. The study includes responses from eleven hundred IT security professionals who are knowledgeable about CAs from the U.S., U.K. and Germany, France and Australia.
According to the results, IT security professionals are troubled by future CA incidents, but very few have the tools needed to switch CAs quickly. For example, 81% of respondents are concerned about future incidents involving CAs. However, if they were affected by a major event like a CA security breach, only 23% said they are completely confident in their ability to quickly find and replace all their impacted certificates.
Additional findings indicate that security professionals maybe over estimating their ability to respond to a CA incident:
Mike concludes: “Organizations need greater control over the CAs they trust, but they also must acknowledge that they’ll never have full control. For example, browsers play a big role in how we trust CAs. Chrome and Mozilla recently decided they would no longer trust certificates issued by Symantec, and now many organizations must replace these certificates before a set deadline.”
Is your organization prepared for the next CA security event?