“There are countless products and tools on the market to assist a company with this challenge,” Causey writes. Having a solid key management policy also helps in the unfortunate case that you do lose a private key or a key pair is duplicated or stolen.”
And behind that, Causey writes that “simple, basic network security” should not be underestimated. Simply making sure applications, operating systems and browsers are patched and up to date can go a long way, and browsers should be configured to check for validity and revocation certificates for connecting to a Web site.
For certain applications, having a company-owned certificate authority makes a lot of sense, and can make managing your network device simple and more secure. “There is nothing inherently wrong with self-signed certs, but you do better,” writes Network Computing editor Mike Fratto in a guide to setting up your own certificate authority in 10 minutes.
Proper internal security measures are important to keep the infrastructure around SSL certificates locked down, but internal security practices alone won’t mitigate all of the risks which have led to high-profile breaches. The industry is reacting to these challenges with a number of initiatives.
First among them is a joint effort between Google and certificate authority Comodo to authorize certificates at a DNS level. The Certification Authority Authorization (CAA) allows a DNS domain name holder to specify the CAs that are allowed to issue certificates for that domain.
“This puts at least some control over certificate issuance back in the hands of the domain owner, and will help prevent accidental or purposeful issuance of duplicate or fraudulent certificates,” Causey writes.
The CA/Browser Forum, meanwhile, has developed a model for Extended Validation Certificates, for which the CA takes additional steps to ensure that the applicant has exclusive control over the domain for which the certificate is applicable. And Symantec has launched its own Certificate Intelligence Center, designed to help organizations manage numerous certificates.
Also in development, elliptic curve cryptography is an extension of the existing PKI infrastructure, a new key generating algorithm that makes it easier for companies to create exceptionally strong key pairs. Because of the random nature of the key pairs, “elliptic curve technology will be much harder to fake,” Causey writes.
Learn more about Strategy: Choosing the Right Vulnerability Scanner for Your Organization by subscribing to Network Computing Pro Reports (free, registration required).
