SSL (X.509) certificates have been the backbone of public key infrastructure and privilege management infrastructure since virtually the onset of the Worldwide Web. But in recent years, SSL certificates have been in the headlines for all the wrong reasons, with certificate authorities (CAs) from RSA to Dutch company DigiNotar suffering high-profile breaches.
A new InformationWeek Report, entitled Strategy: What’s Next for Certificate Technology, argues that SSL certificates have become so ubiquitous that they – and the infrastructure that supports them – have become taken for granted.
“Secure Sockets Layer and X.509 certificate technology are certainly not broken, but implementation of the technology often leaves something to be desired,” writes report author Brad Causey. “If we go back and examine how CAs have been compromised of late, it’s apparent that in nearly every case, infrastructure security was breached or bypassed.”
Meanwhile, the protocols used in the certificates themselves continue to function as designed and expected. But that hasn’t stopped all kinds of high-profile and high-impact breaches blamed on certificates or certificate authorities.
One of the biggest frustrations for IT and security professionals is that so much of certificate technology remains out of their hands, Causey notes. But there are still some proactive steps security should consider.
The report advocates making sure your organization is getting certificates from “a well-known, well-trusted vendor in the CA space,” and cautions that this is definitely an area where “you get what you pay for” definitely applies.
“This is not to say that inexpensive certificates aren’t any good, but trying to get off cheaply may not be worth it in the long haul,” Causey writes.
Having the right vendor is an important first step, but management of the key on your site is equally critical, especially since a lost private key can be just as damaging as a breached network.
