Numerous websites and services have already reported issues across computers, web browsers and other devices due to the recent expiration of Let’s Encrypt’s root certificate. Older devices are especially vulnerable since many can no longer verify or “trust” certain certificates issued by this certificate authority.
<p>A root CA (certificate authority) does not specifically create a security problem, but rather a disruption to availability to any certificate that chains to that particular root. This in turn can lead to a number of situations in which users may be forced to click through exception messages, leading to bad user habits or in extreme cases, causing an application to respond as no longer expected, which we’re seeing now with the numerous websites and services that didn’t heed to Let’s Encrypt’s notifications about the upcoming expiration.</p>
<p>When transitioning from an expired root certificate to a new one, in most cases, the greatest issue is a lack of automation to distribute the new root CA certificate to those devices that need to trust it. In many organizations, the root CA certificate stores (otherwise known as roots of trust) are not managed universally. This can lead to situations like only updating parts of the network (say Windows via GPO) but not the entity of all devices that need to trust the new root. In the case of IoT devices the problem is compounded as most IoT devices still rely on firmware and software updates to manage roots of trust. Therefore, these devices are wholly dependent on users taking action. In both cases, a failure to update the roots of trust properly can lead to outages or disruptions in normal use.</p>
<p>Management of the roots of trust for all devices is a part of having a well-defined crypto agility strategy. Any reasonable crypto agility strategy will consider how manage and handle regular lifecycle events including the revocation or expiration of a root CA. The crypto agility strategy will allow executives to quickly identify the scope of the impact on their organization and make an informed decision as to the priorities to their organization as it relates to risk and immediacy of remediation.</p>