Let’s say you’re a Trustico customer and you learn that your private keys may have just been emailed to a Certificate Authority. Even if you assume that email was encrypted, you should also assume that your certificates are now compromised. So, your top priority would be to locate and replace these private keys and the corresponding certificates, right? Unfortunately, the data indicates that thousands of Trustico customers haven’t taken that action.
Our researchers used Venafi TrustNet, the industry’s first enterprise certificate reputation service, to do a quick forensic analysis on how many Trustico certificates had been revoked in the week since the Trustico CEO emailed 23,000 private keys to DigiCert. They learned that within that timeframe, only around 3,500 of the impacted keys had been revoked. That leaves roughly 19,500 compromised private keys still in need of immediate attention.
In some ways, this sluggish response to a Certificate Authority compromise is not altogether surprising. A certain number of organizations don’t realize the enormous security risks connected with an error like this. In less urgent situations, we’ve seen the same procrastination. For example, a year after the deadline to replace deprecated SHA-1 certificates, there are still many in use—even though major browsers began flagging them with security warnings and a collision attack has been proven possible.
But even organizations who realize the full implications of not reacting quickly to compromised or vulnerable keys and certificates may not have the tools they need to do so. Without accurate visibility into their full inventory of keys and certificates, it’s nearly impossible to quickly locate those that need to be revoked and replaced. Nor will they be able to validate that they have found and addressed all exposed keys and certificates.
Hari Nair, director of product management and cryptographic researcher for Venafi cautions, “This event is just one example of the many reasons why organizations that may have been affected need to perform immediate risk assessment of their key and certificate management program—from issuance to revocation. Any time an organization allows any third party to handle their private keys, they are opening the door to the possibility that really bad things can happen.”
This risk extends beyond Trustico customers to any organization that has outsourced the generation of private keys to a reseller. Dan Goodin Security Editor at Ars Technica also weighs in on the importance of securing private keys: “Generally speaking, private keys for TLS certificates should never be archived by resellers, and, even in the rare cases where such storage is permissible, they should be tightly safeguarded. A CEO being able to attach the keys for 23,000 certificates to an email raises troubling concerns that those types of best practices weren't followed.”
Nick Hunter, senior digital trust researcher for Venafi recommends, “If you are trusting a reseller to generate your certificate signing requests (CSRs) and then trusting them with your private keys, you need to rethink your strategy. Enterprises should always have total control of their private keys, as they secure data and communications, and your customers trust you to protect those keys at all costs.”
If you are concerned about maintaining acceptable levels of risk, you should start by bringing key generation in house and centralizing your key management. Hunter concludes, “The best way to maintain consistent control of your private keys is through protected automated, centralized key management.”