For their Breaking Digital Trust Report, researchers from Keyfactor analyzed 500,000 digital certificates to identify common certificate defects that could impact organizational security and determine the scale of the issue. They discovered that 91,239 of the 504,736 certificates, a concerning 18.08%, contained at least one identified risk factor.
Certificates are Significant
Digital certificates are the foundation of machine identity management, a key component of digital trust, which ensures trust across networks, applications, and cloud environments. They act as electronic credentials, verifying the authenticity of devices, servers, or users using cryptography and public key infrastructure (PKI). They ensure that only trusted entities connect to networks and contain identifiable information, such as a user’s name, device’s IP address, and a public key. Digital certificates are issued by CAs, which sign a certificate to prove the authenticity of the individual or organization that issued the request.
Machine identity management is the discovery, management, and protection of machine identities that govern the confidentiality and integrity of information and communication between machines. A business cannot evolve without a good foundation of digital trust, and effective machine identity management accelerates digital transformation while eliminating security incidents. It is a critical determinant of success and security for online enterprises.
Digital trust is essential for modern businesses. It refers to the confidence that users have in digital systems, organizations, or platforms to safeguard their data, operate consistently, and adhere to ethical standards. It also provides the platform on which organizational transactions are built, whether between themselves, other businesses, or their customers.
Risky Business
The certificate defects unearthed by the report were generally categorized into four types of risks:
- Cryptographic compromise: Cryptographic issues that compromise an individual key.
- Validation failure: Chain validation failures that prevent a certificate’s use for its intended purpose.
- Policy error: Violations of policy that suggest a misconfigured Certificate Authority (CA)
- Trust violation: Trust hierarchy errors and inconsistencies that threaten to compromise the whole PKI.
Identified Certificate Issues
Within the four specified risk categories, the notable certificate issues were as follows:
Unnecessarily Long Lifespans
The report found that 1 in 13 certificates had a lifespan of over 2 years, including some set to expire on Dec 31, 9999, at 23:59:59 PM UTC, which is the latest possible date and time. Shortened certificate lifespans protect users by reducing the impact of compromised keys.
Negative Serial Numbers
Keyfactor researchers found that 1 in every 27 certificates did not have a positive serial number. This is a red flag because you can infer these certificates were not carefully issued by a robust process featuring the input of a PKI administrator.
No Specified Key Usage
It was found that 1 in every 29 certificates had no key usage specified. Certificates that do not explicitly include a key usage field are interpreted as usable for all available purposes, permitting anyone holding the private key to be trusted for authentication. This creates an environment where malware could be signed, for example.
Absence of Basic Constraints
The report discovered that 1 in every 32 certificates was not issued by a CA with Basic Constraints. Having Basic Constraints means validation can only be confirmed if certificates lower in the chain adhere to the specifications set higher in the chain. Without this enforcement, the PKI is at risk of issuing CA that could compromise the entire PKI.PKI infrastructure uses asymmetric encryption methods to ensure that messages remain private and to authenticate the person or device sending the transmission.
Large File Sizes
OpenSSL allocates 100kB as standard for an entire certificate chain, and Keyfactor encountered
Individual certificates as large as 87kB. These large file sizes that are close to the limit are significant because ‘as this is already close to the limit, it risks inconsistent recognition of the certificate when the entire chain is sent.’
Cause for Concern
Encryption is a fundamental security measure designed to protect data from unauthorized access, with PKI arguably being the most common cryptography method. For CISOs and security teams, these findings, particularly those relating to unspecified key usage and certifications without Basic Constraints, are a real concern. These two discoveries, in particular, represent what the report deems as ‘critical defects’ that have ‘the power to compromise an entire PKI.’
More broadly, the findings are a wake-up call for organizations unsure of how many certificates they have and what state they are in. Having visibility and taking proactive steps to address vulnerabilities goes beyond good practice and compliance, as it combats damaging cybercrime while reinforcing the concept of digital trust in society.
Adam Parlett is a cybersecurity marketing professional who has been working as a project manager at Bora for over two years. A Sociology graduate from the University of York, Adam enjoys the challenge of finding new and interesting ways to engage audiences with complex Cybersecurity ideas and products.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
