What risks do untrusted certificates pose to enterprises?

Google and Mozilla announced plans to stop trusting Symantec Corp. certificates last year, but a researcher found that approximately 100,000 of these untrusted certificates are still in use across the Alexa Top 1 Million sites. Is 100,000 out of one million a lot? What are the security risks of running untrusted certificates before browsers completely shut them down?

Yes, 100,000 out of one million is a lot. It means one in ten sites are relying on untrusted digital certificates -- which is a lot given that Let's Encrypt, a free, automated and open certificate authority, now makes obtaining, installing and maintaining trusted digital certificates a simple process.

The fact that Arkadiy Tetelman, a senior application security engineer at Airbnb, found so many of the untrusted Symantec certificates still in use shows that too many administrators are not keeping abreast of the security news and events that affect the products and services they rely on to keep their systems and users secure.

Certificates are the foundation of authentication on the internet. They're issued by a certificate authority (CA) and enable users to verify that a website owner is who they say they are. Therefore, it's essential that CAs follow best practices and can be trusted.

Unfortunately, following a series of questionable website authentication certificates issued by Symantec's public key infrastructure (PKI) business -- which included certificate authorities Thawte, Verisign, Equifax, GeoTrust and RapidSSL -- that did not comply with the CA/Browser Forum Baseline Requirements, the PKI community agreed on a plan to reduce, and ultimately remove, trust in Symantec's infrastructure in order to maintain users' security and privacy when browsing the web.

Symantec opted to sell a majority stake in its PKI business to DigiCert in August 2017, and while DigiCert is making good on the remediation to which Symantec agreed, there are still thousands of untrusted certificates currently used by Symantec customers.

Chrome 66, released in April 2018, no longer trusts Symantec certificates issued prior to June 1, 2016. More than 11,000 websites will experience a huge drop in traffic and sales when this happens, as connections to websites using these untrusted certificates will be rejected, along with a browser security warning that states "Your connection is not private."

Chrome 70, scheduled for release in October 2018, will fully remove trust in any certificate chaining to Symantec roots, which will impact at least another 91,000 sites unless the site administrators replace existing Symantec-issued certificates with a new certificate from a CA trusted by Chrome. Firefox 60, scheduled for release in May 2018, will distrust Symantec certificates issued before June 1, 2016, and Firefox 63, scheduled for December 2018, will distrust the rest of Symantec's certificates.

Site administrators can find information on how to replace Symantec SSL/TLS certificates on its official blog. This should be a priority for administrators; not just because they will lose business, but because expired or untrusted certificates undermine the trust users place in certificates and play into the hands of cybercriminals. If visitors become accustomed to seeing a security warning when visiting a site with an untrusted certificate, they may ignore it, leaving them open to attacks by hackers who can trick them into visiting a similar-looking site also using an untrusted certificate to impersonate the real site.

Any administrator who sees a sudden drop in traffic should check that their site certificate is still valid, as an expired or untrusted certificate will stop many users from accessing the site. To avoid the likelihood of this occurring, it's essential to maintain a record of certificate validity periods and ensure the renewal process is started by thirty days before the certificate expires. A regular audit will also catch any certificates signed using weak hashing algorithms, such as SHA-1 and MD5, or signed using RSA keys less than 2048 bits. There should also be a documented procedure for removing certificates that are no longer trusted from all desktops, laptops and mobile devices

Once these policies are in place, it is worth considering developing a CA migration plan in case any certificate's CA is compromised. Given that the average organization has over 23,000 certificates, replacing them manually while under pressure is a recipe for disaster, and waiting for Microsoft, Apple, Google, Firefox and others to take the necessary action is not a viable option.

To check if your existing certificates are signed by a trusted authority, valid and correctly installed, sites such as DigiCert's SSL testing site provide detailed feedback about a site's certificate.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)