Today GoDaddy announced an SSL bug in its certificate validation process. To remedy the problem, the certificate authority will revoke and reissue the faulty certificates. But if an impacted organization is not prepared to act quickly to reinstall and revalidate these new certificates, visitors to their websites may be exposed to error messages or browser warnings. And if they are attempting to replace certificates manually, it could consume valuable staff hours that many organizations cannot spare.
In a blog post, GoDaddy outlined the certificate impact as follows:
“On Friday, Jan. 6, we learned about a bug that impacted our SSL certification validation process. The bug was introduced on July 29, 2016, and impacted less than 2 percent of the certificates issued from July 29, 2016, to Jan. 10, 2017. It affected approximately 6,100 customers. The software bug that created the issue has been remedied. We continue to closely monitor the system. We will revoke these certificates at 9 p.m. (PST) Jan. 10, 2017. We are actively working with our customers to reissue their SSL certificates.”
GoDaddy’s proactive stance is admirable. But this incident still raises questions about how completely you can trust your CA. Venafi VP of security strategy, Kevin Bocek clarifies the challenge, “As the use of cloud, mobile, and IoT devices drives an explosion in demand for digital certificates businesses need to be prepared to respond to an increase in errors and security compromises from certificate authorities.”
Since human error is inevitable given the vast numbers of certificates that we now require, how quickly are you prepared to react when the SSL flaws do surface? Tim Bedard, director of digital trust analytics for Venafi warns that organizations often don’t have the visibility they need to solve problems like this. As a result, they cannot respond in a timely fashion.
According to Bedard, “Quite often, organizations can’t revoke and replace faulty certificates quickly. In fact, most organizations replace certificates manually, one at a time – a process that is insecure, lengthy and resource intensive. Security issues like this negatively impact any business with an online presence, and the weaker their cryptographic risk posture is, the greater the negative impact.”
The better you are equipped to manage and control your own certificates, the less you will have to rely on the infallibility of any certificates authority. Bocek sums it up the importance of active certificate management, “This is a clearly a wakeup call for businesses. Trust in digital certificates enables the global economy and impacts every Internet user, business, and government, but businesses rely on manual methods to manage them. To protect your business, you must know the location of every certificates in use and be able to replace any of them instantly.”
Does your organization have what it takes to quickly replace vulnerable certificates?