• Follow us

Social Media

Security Pros: Be on High Alert for Certificate Changes

They say that the key to good security is constant vigilance. As a practical matter, this means that it's important for security and network pros to pay attention to two things: changes in the threat landscape, so they can be on the alert for how their systems might be attacked; and changes and developments in the technologies they employ.

It's in light of the second part -- paying attention to changes in the underlying technology -- that I want to call attention to a potential change that's under discussion right now. It's a change that may not seem overly significant on the surface, but that has potential long-term consequences lurking below the surface.

These consequences matter quite a bit. If they're not planned for, these changes can lead to dozens of wasted hours spent looking for difficult-to-debug application failures, potential service interruptions, or other impacts that may not be apparent when viewed cursorily. I'm referring here to proposed changes under discussion related to the lifetime of X.509 certificates used for TLS/SSL sessions.

So what's going on with certificates? The backstory is that Google made a proposal at the June CA/B Forum to shorten the lifespan of X.509 certificates used in TLS once again, to just over one year (397 days).

The CA/Browser Forum (CA/B Forum) is a consortium of PKI industry stakeholders: certificate authorities (the organizations that actually issue certificates), and relying parties (software manufacturers, such as browser vendors, that rely on the certificates being issued). Its mandate is to establish security practices and standards around the public PKI ecosystem.

The current two-year standard (825 days) for maximum certificate lifetime, set in March 2018, was shortened from a prior three-year (39 months) lifetime. This time, the forum is revisiting the one-year proposal. As was the case last time, there has been some natural pushback from certificate authorities in the business of actually issuing the certificates involved.

Who Cares How Long the Lifetime Is Anyway?

The fact of the matter is that there are some good arguments to be made on both sides of the certificate lifespan fence, both supportive and critical of shortening the maximum certificate lifespan.

First, there is the issue of certificate revocation. Specifically, it is the responsibility of those relying on certificate validity (for most use cases, this means browsers like Chrome, Edge and Firefox) to ensure that revocation status for certificates is checked appropriately. This is the kind of thing that sounds easy to do until you think through the full scope of what it entails.

For example, it's not just browsers that have to implement validity checking. So do software libraries (e.g. OpenSSL, wolfSSL), operating system implementations (e.g. CAPI/CNG), implementations like CASB products or other monitoring products that seek to perform HTTPS Interception, and a bunch of others.

As one might suspect, given the complexity, not every implementation does this well or as thoroughly as is desirable (as noted in US-CERT's technical bulletin on the topic of HTTPS Interception). Having a shorter lifespan means that there is a reduced ceiling of how long a revoked certificate can remain in use even if an implementation doesn't check revocation status.

On the other hand, keep in mind that most new applications rely heavily on Web services as a key method of operation. It's not just browsers and associated products that rely on certificates, but increasingly it's also applications themselves.

This in turn means that when certificates expire, it not only can have a negative impact on the user interface experience for those seeking to access websites, but also can cause applications to fail when critical Web services, such as those on the server end of RESTful APIs (where business logic actually is implemented.) They can't establish a secure channel and thereby fail. In this case, certificate expiration can cause the application to fail unexpectedly -- "it worked yesterday but doesn't work now" -- in a difficult-to-debug kind of way.

There's a tradeoff, no matter how you slice it, from an end-user practitioner viewpoint. A shorter lifespan potentially can help alleviate problems resulting from failure to properly implement revocation checking, but at the same time can lead to application complexity in situations where certificate expiration status is not tracked rigorously. Note that this is in addition to the arguments made for and against by CA, browser developers, and other stakeholders in the CA/B Forum.

What Security Practitioners Can Do

Regardless of where you fall on the spectrum of for/against this particular change, there are a few things that practitioners can and should do to ensure that their houses stay in order. First of all, there arguably would be less need to look for alternative strategies to limit exposure from revoked certificates if everybody did a better job of validating revocation status in the first place.

If you're using a product like a CASB (or other interception-based monitoring tool), if you're developing applications that employ TLS-enabled RESTful APIs, using reverse proxies, or otherwise handling the client side of TLS sessions, it's a must-do to ensure that revocation status checking is performed and performed accurately.

This is a good idea regardless, but the fact that those in the know are pushing this change suggests that the problem may be worse than you might think.

Second, keep track of the expiration of certificates in your environment. Ideally, keep a record of who issued them, when they expire, along with a contact point for each one (someone to hassle in the event that it expires).

If you can, routinely canvass the environment for new TLS-enabled listeners that you don't expect. If you have budget to invest, there are commercial products that do this. If not, you can get information about certificate expiration from vulnerability scan results.

Worst case, a script to systematically trawl an IP address range looking for TLS servers (and recording the certificate details including expiration) isn't that hard to write using a tool like OpenSSL's "s_client" interface or the "ssl-cert" option in nmap. Again, this is useful to do anyway, but if the lifespan gets shorter going forward, it will provide more value.

By taking some time and doing a bit of planning now, you can make sure your environment stays optimally positioned, regardless of which way the powers that be ultimately decide to go. Since these measures are prudent anyway, even if the outcome is no shortening of the expiration lifespan, you still derive value from having implemented them.

Ed Moyle is general manager and chief content officer at Prelude Institute. He has been an ECT News Network columnist since 2007. His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure solutions development. Ed is co-author of Cryptographic Libraries for Developers and a frequent contributor to the information security industry as author, public speaker and analyst.

Read More



Leave A Comment

More News

Social – TechCrunch

How to profit from valuable peer referrals hiding 2019-09-18 16:03:24Brands often act like the person who searches for their keys under the streetlight simply because that is where the light is better. However, when bra

Out of the box influencer strategies to accelerate 2019-09-18 15:01:23For new brands, growing awareness and gaining consumer trust are two of the most important yet challenging marketing objectives. But startups don&rsqu

Daily Crunch: Facebook announces Portal TV 2019-09-18 14:39:23The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox ever

Facebook launches Portal TV, a $149 video chat 2019-09-18 08:01:29Facebook wants to take over your television with a clip-on camera for video calling, AR gaming and content co-watching. If you can get past the creepi

Facebook will let users disable storage of Portal 2019-09-18 08:00:03As consumer tech companies come under fire for how they handle voice data from consumers, Facebook is announcing changes to how users can manage recor

Facebook’s new policy Supreme Court could override Zuckerberg 2019-09-17 16:00:09A real check to Facebook CEO Mark Zuckerberg’s control is finally coming in the form of an 11 to 40-member Oversight Board that will review appe

In a social media world, here’s what you 2019-09-17 13:05:10Consumers are rejecting traditional advertising in favor of transparent and authentic communications. Now, more marketers are leveraging user-generate

LinkedIn launches skills assessments, tests that let you 2019-09-17 09:00:50LinkedIn, the social networking service for the working world, is today taking the wraps off its latest effort to provide its users with better tools

Facebook rolls out new video tools, plus Instagram 2019-09-16 10:30:50Facebook on Monday announced a number of updates aimed at video creators and publishers, during a session at the International Broadcasting Convention

How to get people to open your emails 2019-09-15 15:12:56We’ve aggregated the world’s best growth marketers into one community. Twice a month, we ask them to share their most effective growth tac

How to get your ads working, and whether 2019-09-14 15:00:06Julian Shapiro Contributor Share on Twitter Julian Shapiro is the founder of BellCurve.com, a growth marketing agency that trains you to become a mark

How to work with top influencers and avoid 2019-09-13 16:01:08We’ve aggregated the world’s best growth marketers into one community. Twice a month, we ask them to share their most effective growth tac

Mashable

Viewers still using TiVo will soon see ads New! 2019-09-21 18:16:15The digital TV recording company TiVo is back in the spotlight with some upcoming changes and new products.  TiVo had its heyday back in the earl

Are Google results for removing stains actually helpful? New! 2019-09-21 18:12:18 Admit it, you've Googled, "How to remove..." for red wine spills, bacon grease splatters, and even blood droplets. These all feel impossibly unf

Ride-sharing alone scares some just as much as New! 2019-09-21 16:27:26Would you rather take an Uber ride home alone late at night or have a self-driving taxi service come pick you up with no one at the front wheel? The p

People are so thirsty for Hermann Rorschach, creator New! 2019-09-21 16:22:33Weekends are always the best time for a good thirst trap party, and this new one is a blast from the past. Yes, it turns out that famed Swiss psychiat

How to decide where to start with Apple New! 2019-09-21 15:10:43Apple Arcade is a blessing for fans of mobile games, but also a curse: with so much great stuff to choose from, where do you even start? Some people w

Two popular camera apps turn out to be New! 2019-09-21 13:32:45Two Android apps that weren't what they seemed got pulled from the Google Play app store this week. Instead of offering features to up your selfie ga

Here's a dog hugging a horse, because it's New! 2019-09-21 10:43:28 These days, amidst fears of a climate change-induced apocalypse and unhinged, criminal politicians edging us toward war, it's hard enough just get

4 climate change apps every tech-savvy advocate needs 2019-09-21 10:00:00As part of the 2019 Social Good Summit on Sept. 22, Mashable is tackling the climate change problem head on, highlighting the progress the world needs

'Fortnite' heads to Gotham City in new Fortnite 2019-09-21 09:51:39 The latest Fortnite crossover event is one for the DC Comics fans. Epic Games revealed its "Fortnite x Batman" cash farm collaboration on Saturda

A YouTuber and a U-Haul full of strangers: 2019-09-21 08:35:06There were more news crews than alien hunters at the second attempt to "storm" Area 51’s back gates in the predawn hours of Saturday morning.&

13 camera tips and tricks every iPhone 11 2019-09-21 08:00:00The iPhone 11 and 11 Pro/11 Pro Max are officially here — maybe even in your hands right now as you read this — and you're ready to

Everything coming to Netflix in October 2019 2019-09-21 08:00:00Netflix has announced its October line-up and, uh... hope your whole month is free!  On the TV front, we've got the return of Big Mouth, Carmen

The Next Web

Why apps should enhance real-world experiences, not replace New! 2019-09-21 13:00:33Most mobile apps seek to be the center of attention. They are created by owners and product managers who obsess over extending as many user sessions a

CHEAP: $150 off Beats Solo3 headphones is making 2019-09-21 08:00:06Welcome to CHEAP, our series about things that are good, but most of all, cheap. CHEAP! Confession time: I’ve always yearned to be the headphone

Choose your own price on this giant Arduino 2019-09-21 08:00:00There are literally hundreds of super-cool Arduino projects that even a newbie can complete with a tiny bit of training. You can get that training plu

Satoshi Nakaboto: ‘Largest derivatives exchange to launch Bitcoin 2019-09-21 05:13:48Our robot colleague Satoshi Nakaboto writes about Bitcoin every fucking day. Welcome to another edition of Bitcoin Today, where I, Satoshi Nakaboto, t

How machine learning in policing could fuel racial 2019-09-21 05:00:36The debate over the police using machine learning is intensifying – it is considered in some quarters as controversial as stop and search. Stop

Businesses can now schedule Instagram posts and IGTV 2019-09-21 05:00:09Welcome to TNW Basics, a collection of tips, guides, and advice on how to easily get the most out of your gadgets, apps, and other stuff. Earlier this

Apple Arcade is everything I wanted for mobile 2019-09-20 20:13:18Apple Arcade launched yesterday, alongside iOS 13, and while I’ve only used it for a short while, I think I can say this is the kind of mobile g

CHEAP: Get 30% off this souped-up Samsung Chromebook 2019-09-20 18:39:03Google’s Chromebook laptops are no longer “cheap and cheerful” toys only good for light browsing. They can actually do serious stuff

Tech CEO tells employees he’s obligated to accept 2019-09-20 17:52:52“I do not believe that it is appropriate, practical, or within our mission to examine specific government projects with the purpose of selecting

JerryRigEverything’s Galaxy Fold torture test shows the phone 2019-09-20 16:08:01It’s worth commending Samsung for taking the time out to fix the problems with the original Galaxy Fold. Granted, maybe some of these problems s

How product managers can bring human insights to 2019-09-20 07:00:10Today’s product manager is “the mini-CEO of the product,” a McKinsey report says. It’s a huge job, occupying the intersection

Satoshi Nakaboto: ‘Bitcoin network shifted the equivalent of 2019-09-20 05:44:04Our robot colleague Satoshi Nakaboto writes about Bitcoin every fucking day. Welcome to another edition of Bitcoin Today, where I, Satoshi Nakaboto, t

Entrepreneur

Reverse Engineering the Career You Want New! 2019-09-21 13:30:00Spencer Rubin, the founder and CEO of Melt Shop, talks about the path he followed to create a career in the restaurant business.

4 Steps to Grow Your Agency to 7 2019-09-21 09:00:00Scaling to a million-dollar business requires smart instincts and some humility.

Scopio Gives You Elite Design Assets for a 2019-09-21 08:30:00Create compelling presentations, decks, and more without breaking the bank on licensing fees.

Mexico's Former President Vicente Fox Wants to Legalize 2019-09-20 16:55:00And he doesn't just want to stop at marijuana.

Why Are Bay Area Restaurateurs Afraid to Charge 2019-09-20 16:50:00Don't be fearful. Just give choices.

The Price of Toxic Talent: What We Can 2019-09-20 15:30:00The scandal-plagued NFL receiver's story should be instructive for all business owners.

'When People Don't Tell Us Our Ideas Are 2019-09-20 14:06:00Ben and Max Goldberg staked a claim in Nashville hospitality long before the city saw a tourism boom. Here's how they predicted the future.

The Right Way To Acquire A Cannabis Dispensary 2019-09-20 14:00:00Know the process it takes in each state, and the red flags to look for, before jumping in as a business owner.

Here's How Babies, Puppies and Kristen Bell Are 2019-09-20 13:30:00Jessica Abo sits down with the co-president of the creative agency Brains on Fire to discuss how brands can talk to today's consumer.

10 Powerful Women in Finance Share Their Ideas 2019-09-20 13:30:00Executives from Fidelity Investments, Western Union, FICO and more share their thoughts on how the finance industry can achieve parity.

This Creative Production Company Launched Almost 25 Years 2019-09-20 13:15:00"Even during the good times, don't take your foot off the gas pedal. Keep pushing. Keep driving."

So You Launched Your Startup -- Now What? 2019-09-20 13:09:00The co-founder of Harry's on navigating your startup business's adolescent stage.

E-Commerce Times

Is Your E-Commerce Platform Ready for the Next 2019-09-12 13:35:40Disruption drives business failure and success. Most people think technology drives disruption, but technology merely enables disruption -- changing c

Zoho Is Starting to Look Like a Utility 2019-09-12 08:00:22It has been my belief for several years that our industry is trending toward the formation of an information utility. I draw this conclusion carefully

California Applies Brakes to Galloping Gig Economy 2019-09-12 06:23:09California Assembly Bill 5, which would require many businesses to hire workers as employees rather than independent contractors -- and reclassify the

50 AGs Gun for Google in Antitrust Offensive 2019-09-11 13:55:13The attorneys general of 48 states, plus those from United States territory Puerto Rico and Washington, D.C., have joined in an investigation into whe

New Insightly Marketing Platform Modernizes Legacy CRM 2019-09-10 14:19:25Insightly has announced the availability of Insightly Marketing, which integrates marketing, sales and project management into a single platform to su

Shifting Cable-TV Landscape Demands New Strategies for Survival 2019-09-10 13:26:10X1 is a Comcast-branded pay-TV service that gives users more control over their television experience. The service recently gained new features that c

Rethinking the User Interface for Consumer Voice Tech 2019-09-09 08:00:00Voice can provide a simple, compelling user experience, but the path to adding voice controls to any product, service or application is complex. As do

Big Data's Seismic Effect on the Broadcasting Industry 2019-09-05 12:13:49Digital transformation has left hardly any industry unshaken. In broadcasting, it's safe to say that it has transformed completely the way we create,

Samsung May Have New Foldable Phone in Wings 2019-09-04 13:33:01Samsung's first-generation foldable phone isn't expected until later this month, but reports of a second-generation device to be released in early 2

How to Choose Shipping Software to Scale Your 2019-09-03 12:09:28Implementing shipping software can be a big step in scaling your e-commerce business -- providing a way to create shipping labels quickly, to gain acc

The High Stakes of Oracle's Appeal 2019-08-31 08:00:00Now Oracle is appealing the Pentagon's award to Amazon of its $10 billion JEDI contract to provide cloud computing solutions. "The Court of Federal

Can Cable TV Survive the 5G Wireless Threat? 2019-08-30 13:07:22Traditional cable TV providers will face a big competitive threat in the next decade from the Internet, IPTV and 5G wireless. Cable TV typically lands


Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.