Security pros acknowledge risks from untrusted certificates but take no action

A Venafi survey of 300 Black Hat USA 2015 attendees reveals that most IT security professionals understand and acknowledge the risks associated with untrustworthy certificates and keys, but take no action. The survey also reveals that some information security pros don’t understand what security services CAs do and do not provide.


By design, cryptographic keys and digital certificates are natively trusted by servers and other security applications to provide for authentication and authorization for everything that is IP-based today, including all Internet of Things (IoT) devices. Yet this blind trust is being misused against organizations by cybercriminals so they can monitor and impersonate their targets to steal data.

Recent examples include the General Motors (GM) RemoteLink application hack where lack of SSL/TLS validation facilitated the hack and The Federal Reserve Bank of St. Louis, whose inconsistent use SSL/TLS and multiple CAs (including GoDaddy) made it easy for attackers to setup fake websites, redirect visitors, and target Fed users.

There are hundreds of CAs issuing digital trust across the globe and the average organization has over 23,000 keys and certificates, according to Ponemon Institute research. When a major CA is breached, or when a CA fraudulently issues unauthorized certificates for an organization, attackers can impersonate, surveil, and monitor their organizational targets as well as decrypt traffic and impersonate websites, code, or administrators. Unsecured keys and certificates provide the attackers trusted access to the target’s networks and allow them to remain undetected for long periods of time.

The survey revealed that:

90% of respondents believe a leading certificate authority, the primary supplier of trust on the Internet, will be breached within the next two years. Even though 90% surveyed believe a leading CA like Symantec, Entrust or Comodo will be compromised in next two years, only 13% have existing automation to remediate. Without a CA migration plan and automation in place, all organizations using a public CA that is breached will have to rapidly migrate certificates issued from the compromised CA to another – manually. Given that that average organization has over 23,000 certificates and it takes about four hours to perform the necessary steps to replace one certificate on a single system, to do so manually for all certificates and associated keys is untenable.

74% of respondents don’t understand that CNNIC is a clear and present danger and have done nothing about it, even after Google and Mozilla announced CNNIC was no longer trustworthy. When asked what action infosec pros have taken following the news that the official Chinese government CA “CNNIC” was no longer trusted by Google and Mozilla due to untrustworthy certificate issuance practices, only 26% actually removed CNNIC from all desktops, laptops and mobile devices. The rest of respondents either took no action (23%), are waiting for Apple and Microsoft to take action (17%) or just don’t know (34%).

Roughly two-thirds of infosec pros DO understand the risks associated with untrustworthy CAs like CNNIC. When asked what security risks would result from an untrustworthy CA issuing certificates for their browser, application or mobile device, 58% of respondents stated they are concerned about MITM attacks and 14% have concerns about replay attacks. This data indicates a major gap – they understand the risk, but aren’t doing anything about it.

63% of infosec professionals falsely believe or don’t know that a Certificate Authority does not actually secure certificates and cryptographic keys. When asked if a CA protects them from theft, misuse or forgery of digital certificates, only 37% correctly responded no. The rest of the respondents said either yes (29%) or they don’t know (34%). CAs only issue and revoke certificates – they don’t monitor their use beyond that in the wild and ultimately cannot provide any security for them.

Even though mobile devices trust hundreds of CAs, survey responders falsely believe their mobile devices trust only 3. When asked how many CAs are trusted on mobile devices, survey responders believe it is be a median of 3. On Apple iOS devices the median was 2, when in fact it is over 240.

“The results of this survey are disturbing given the number of IT security professionals who recognize the threats posed by CAs and misused certificates, but lack the knowledge, understanding and automaton to solve the problem and reduce the risk of attack,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. “From the DigiNotar breach to MCS Holdings and Google, organizations continue to blindly trust certificates and lack the ability to efficiently respond and develop future protections. Cybercriminals know the major impact of fraudulent issuance and misuse of keys and certificates and will continue to leverage them for APT-style attacks because they know they are effective.”

“Ultimately, if what our survey data says is true, and IT security professionals do understand the risks of untrusted CAs like CNNIC but do nothing about them, we will continue to see more and more MITM attacks and certificate-related breaches. Unfortunately, we live in a world without trust today because there is no immune system to detect keys and certificates that do not belong and are being misused as the bad guys accelerate their attacks. As a whole, global organizations and IT security and operations teams need to wake up and take the steps necessary to secure their keys and certificates and realize that the CAs just can’t help with that. As billions of devices come online and more IoT devices are widely adopted, it will become all the more critical to protect the keys and certificates that are used for authentication, validation, and privileged access control,” Bocek added.

Don't miss