You may have seen that Amazon Web Services has launched its ‘Certificate Manager’ platform this week, allowing developers access to free SSL certificates.
While this will help developers avoid the costs of digital certificate renewal, it is not without its risks. Kevin Bocek, VP security Sstrategy at Venafi comment on the dangers of free SSL certificates from.
[su_note note_color=”#ffffcc” text_color=”#00000″]Kevin Bocek, VP of Security Strategy and Threat Intelligence, Venafi :
“With the launch of Let’s Encrypt, we anticipated others would follow in the same footsteps to offer free digital certificates. That’s why it’s not surprising to see Amazon Web Services (AWS) recently launch their own free digital certificate offering. What’s critically important here is that enterprises realise the risk of utilising free certificates, which cybercriminals love to take advantage of, as we saw recently with hackers using ‘Lets Encrypt’ for malvertising attacks. This is just another reason why how you protect keys and certificates is much more important than where you get them!
With AWS apps like load balancing, not EC2, it can lock you into using just AWS since it keeps the private keys. Because of this, we caution enterprises about using AWS and any free certs if they are serious about protecting their own IP and their customers’ data. While AWS certificates may be good for building quick apps, they cannot provide true enterprise-class security to the Global 5000. Mark my words: it’s just a matter of time before we see cybercriminals leveraging these free AWS certificates to hide in encrypted traffic, masking themselves to go unnoticed while they steal sensitive data.”[/su_note][su_box title=”About Venafi” style=”noise” box_color=”#336588″]Venafi is the Immune System for the Internet™ and protects the foundation of all cybersecurity—cryptographic keys and digital certificates—so they can’t be misused by bad guys in attacks. In today’s connected world, cybercriminals want to gain trusted status and remain undetected, which makes keys and certificates a prime target. Unfortunately, most security systems blindly trust keys and certificates. Venafi patrols across the network, on devices, and behind the firewall, constantly assessing which SSL/TLS, SSH, WiFi, VPN and mobile keys and certificates are trusted, protecting those that should be trusted, and fixing or blocking those that are not.
As the market-leading cybersecurity company in Next Generation Trust Protection (NGTP) and a Gartner-recognized Cool Vendor, Venafi delivered the first Trust Protection Platform™ to protect keys and certificates and eliminate blind spots from threats hidden in encrypted traffic. As part of any enterprise infrastructure protection strategy, Venafi TrustAuthority™, Venafi TrustForce™, and Venafi TrustNet™ help organizations regain control over keys and certificates by establishing what is self and trusted on mobile devices, applications, virtual machines and network devices and out in the cloud. Venafi protects Any Key. Any Certificate. Anywhere™. From stopping certificate-based outages to enabling SSL inspection, Venafi creates an ever-evolving, intelligent response that protects your network, your business, and your brand. Venafi Threat Center also provides primary research and threat intelligence for attacks on keys and certificates.
Venafi customers are among the world’s most demanding, security-conscious Global 5000 organizations in financial services, retail, insurance, healthcare, telecommunications, aerospace, manufacturing, and high tech. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners, and Origin Partners.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.