With the National Security Agency recently issuing guidance on the risks associated with wildcard TLS certificates and Application Layer Protocols Allowing Cross-Protocol Attacks (ALPACA) techniques, it has many organizations and enterprise leaders wondering: What are the odds of a wildcard certificate being compromised and/or leading to serious consequences, and how can this prevented?
Before IT leaders can truly respond to and mitigate wildcard certificate security risks – and manage wildcard certificates – it’s essential to first understand what wildcard certificates are and why it’s a common, flexible and helpful, but risky certificate.
What is a wildcard certificate?
A wildcard certificate can be used by multiple subdomains of a registered domain. It’s like having one passport with a family’s last name, which lets anyone with the same family name use the passport to travel.
If a website uses a wildcard certificate, it will have an asterisk (*) and a period before their domain names. For example, a domain secured by a wildcard certificate is denoted by “https://*.WEBSITE.com,” where the “*” can be any of a website’s subdomains like help.WEBSITE.com, blog.WEBSITE.com, etc.
The rising popularity of wildcard certificates
Typically, organizations have multiple domains, which needs multiple certificates with different expiry dates. The challenge they face is to keep track of all those certificates and renew them before they expire. To simplify the tedious process, they use one wildcard certificate so that they can review once and apply that across multiple domains, or even have one entry point for all external domains. There is also a cost factor in play when multiple certificates need to be issued, renewed and managed vs. when a single certificate is used across the board.
Any usage of wildcard certificates might appear to be suitable for smaller organizations or limited number of exposed domains. The complexities of securing certificates for distributed applications cannot be overlooked. This exposes organizations to attacks through techniques like ALPACA – hence the NSA warning.
When one certificate is used for multiple sub domains, compromise of one certificate leads to a chain reaction affecting other services that make use of it for secure communication. If a wildcard certificate’s private key falls in the wrong hands, attackers can impersonate any domain covered by the wildcard certificate.
When a certificate is revoked, all servers need to be updated to use the new certificate. Before a certificate expires, it needs to be replaced with a new certificate. An expired certificate will face similar challenges as a revoked one, and organizations can face severe outages if the certificate is not renewed on time.
Mitigating wildcards certificate risks
If an organization uses wildcard certificates, it’s important to secure all deployments that use wildcard certificates by automating deployment and securing key management. We can prevent encryption getting compromised due to neglect or weak security standards by leveraging hardware security modules (HSMs) for storage and circulation, and automation workflows to minimize human contact with individual keys.
The second option is to use separate certificates for each application domain and secure keys and applications similar to the first option. However, that comes with overhead costs since certificates need to be managed manually. A certificate automation solution may come in handy and prove to be cost-effective in such cases.
Managing wildcard certificates
Organizations across verticals often have two pain points in public key infrastructure (PKI) management: lack of visibility into the digital certificate landscape and the lack of automation. While security teams consider visibility a must-have capability due to the problems its absence throws up on an almost daily basis, the importance of certificate lifecycle automation can’t be overlooked.
When investing in a certificate lifecycle management solution, organizations need to factor in visibility and automation, so that they get dual benefits of good scanning and monitoring capabilities as well as end-to-end automation.
Visibility is the cornerstone of any protection mechanism. Yet, most enterprises still have little to no visibility into their certificate infrastructure.
Most of the information that ensures full visibility (such as the number of certificates in use, their locations, their expiration dates, and their ownership details) are either improperly documented or not documented at all when managed manually in spreadsheets. Even when they are documented, the high risk of human error affects the accuracy of the inventory.
A holistic discovery solution that includes full featured certificate lifecycle management (CLM) as well as workflow automation will help provide visibility into all the certificates used in the origination, and maintain inventory of the certificates for crypto security standards and expiry dates to prevent security breaches and application outages.
Looking ahead, organizations need to carefully evaluate the risks that come with deployment of same wildcard certificate across multiple applications versus any other option that promises security. Investing in automation will make it easier as enterprises can achieve unlimited possibilities with limited resources.