The on-going revelations about the SolarWinds attack made code-signing certificates known to the public. According to the analysis made by several security firms and SolarWinds itself, the code signing process seems to have failed, allowing adversaries to inject malware. However, code signing certificates were not the only machine identity misused in the attack. X.509 certificates were also compromised, permitting attackers to impersonate legitimate trusted users to move freely without being detected.
The attack was one more warning that strong, effective and efficient deployment and management of all your digital certificates is essential for securing yourself and your business against a variety of attacks. However, managing your certificates starts with knowing what each certificate does. Let us begin with the most popular ones, the TLS/SSL certificates.
The TLS/SSL certificates are used to encrypt data in transit and to authenticate the identity of websites. The certificates are based on public key encryption. When a browser or an IoT device wishes to connect over TLS protocol with a public facing server, it looks up to the corresponding certificate to obtain the server’s public key and validate its identity. The use of TLS machine identities prevents attacks that target the trust users place on legitimate sites and services.
There are three types of TLS/SSL certificates, namely Domain Validation (DV), Organizational Validation (OV) and Extended Validation (EV). The most prominent use of TLS/SSL certificates is found on HTTPS addresses, where the TCP layer is encrypted with the superposition of TLS encryption protocol layer. In addition, sites protected with these machine identities display a grey lock in the URL address bar.
Code-signing certificates are used to validate the authenticity of software components used for application development. These certificates confirm the identity of the author of the code and prove that the code has not been altered or tampered with after it was signed. Code-signing certificates are the foundation of secure and trustworthy software supply chains that underpin today’s speedy DevOps pipelines.
Just like with TLS/SSL certificates, code-signing is based on public key encryption. The software developer signs the code with its private key, while anyone who wishes to include that software component into their development project can use the developer’s public key to verify that the software is coming from a trusted source. In addition, end users can ensure the integrity of the component. If the application is tampered with or altered after being digitally signed, the signature will appear invalid.
While TLS/SSL certificates are used to validate servers, client certificates are used to authenticate people or devices requesting access to sensitive corporate data or services. These certificates are an effective authentication mechanism, removing the need to rely on insecure and vulnerable passwords. Although client certificates are used to authenticate individuals and connected devices, they do not encrypt data.
These certificates are gaining traction because traditional access security and authentication mechanisms based on passwords are not adequate enough to protect corporate data in the cloud. Passwords are famous for being easily compromised or stolen, allowing attackers to impersonate legitimate users and move undetected within corporate networks.
Client certificates benefit businesses by providing strong, effective, and efficient user authentication while enhancing user experience. Client certificates are installed on the users’ device and determine the privileges granted to that user to remotely access corporate data and services. If the users does not have the required permissions, they will not be granted access.
Now that you are aware of the various types of digital certificates, you need to establish industry best practices to manage them effectively and deploy them securely. The following tips will help your organization manage TLS/SSL certificates properly and avoid unexpected outages as well as security risks.
The Venafi Trust Protection Platform powers enterprise solutions that give you the visibility, intelligence and automation to protect machine identities throughout your organization. Plus, you can extend your protection through an ecosystem of hundreds of out-of-the-box integrated third-party applications and certificate authorities. So you’ll never lose track of a digital certificate that could be misused in an attack like SolarWinds.
Ready to start automating? Contact us.