Are wildcard certificates the answer to DoD authentication challenges: DoD agencies using certificates not trusted by major browsers?
Perhaps they could be, but wildcard certificates present their own challenges. More on that in a bit.
In May, U.S. Sen. Ron Wyden, D-Ore., wrote to Defense Chief Information Office Dana Deasy (see Senator Asks: Are All Doors Open at the DoD), that several DoD sites, including the Navy, Marines and the CIO office itself, had failed to secure connections with encryption or utilize authentication using a certificate issued by the DoD Root Certificate Authority. Such self-authentication isn’t as trustworthy as certificates issued by reputable certificate authorities. “The DoD cannot continue these insecure practices,” Wyden said.
Deasy says he expects processes to be in place to provide proper certificate authentication by the end of October. “The department is working hard to ensure DoD inspires trust among citizens and partners in its digital interactions across our missions, business and entitlement role,” Deasy said in a July 20 letter to Wyden. In an addendum, DoD says it will issue direction to implement commercially publicly trusted certificates on its public-facing sites and services by Oct. 31.
Wildcard certificates may, at first glance, seem to be a credible alternative to root certificate authority. They’re public key certificates used by all subdomains within a larger domain. Site operators can quickly secure countless subdomains, all encrypted by the same wildcard certificate.
But DoD should be careful not to replace one untrusted type of certificates technology with another. Although wildcard certificates may be incrementally more trusted than certificates issued by the DoD Root Certificate Authority, they have their own challenges, especially if their use is not carefully documented and controlled.
Wildcard certificate inventor George Parsons, senior director of security architects at Venafi, sees organizations overusing wildcard certificates. “Organizations clearly [are] not using best practice when they create a wildcard certificate using a singular key pair, so they can deploy it to 20, 30, 40 or even 2,000 or 3,000 servers,” Parsons told Scott Carter (see Conversations with the Inventor of Wildcard Certificates—Part 2: Beware of the Easy Button). “Wildcard certificates make that really easy, but it’s a huge exposure. Think about it; if you compromise just one of those private keys, you compromise the entire trust infrastructure for every one of those servers. But it’s easy. It’s the easy button and that’s pretty tempting.”
As we noted in a 2017 blog, Wildcard Certificates Make Encryption Easier, But Less Secure, cybercriminals can gain privileges that let them create unlimited subdomains if they hack into a domain. Subdomains created by cybercriminals will look valid because they’re authenticated by the domain owner’s wildcard certificate.
Imagine the phishing campaigns a cybercriminal could launch from illegitimate subdomains. Phishing site visitors likely won’t notice they’re at a phishing site. After all, their browsers established an HTTPS connection uses a legitimate wildcard certificate.
And websites such as Let’s Encrypt make it easier for cybercriminals to get free wildcard certificates. “What’s going to happen with free Let’s Encrypt wildcard certificates is that more and more people will use wildcard certificates for their entire domain (*.website.com) without thinking about how easily these can be abused,” Parsons told Carter in a follow-up blog, Conversations with the Inventor of Wildcard Certificates—Part 3: The Risk of Exploit.
The bottom line: Don’t rely on wildcard certificates, or other types of certificates, unless they’re supported by systems that automate the entire key and certificate lifecycle and follow your approved policies and workflows. That’s solid advice for the DoD or any other enterprise.