Venafi praises industry players on their handling of the latest CA security issues
According to Jeff Hudson, CEO of enterprise key and certificate management (EKCM) specialist Venafi, while the move by the two IT majors has been prompt, it has still not stopped certificates from the Malaysian intermediate CA (not to be confused with DigiCert in the US) from reportedly being used to sign malware as part of a spear phishing attack against another Asian certificate authority (http://bit.ly/tyXMzw).
"Never in the history of the security industry has something that's happened once not happened again. With Digicert Malaysia joining the ranks of other CA failures, businesses and browser manufactures alike need to move past the shock and begin formulating recovery and business continuity plans. There will be more CA breaches in the future, and more users, companies and governments agencies will be impacted if the affected organizations don't have actionable, recovery plans in place," Hudson said. "The fact is that CAs are a very juicy, high-value target."
"It's very easy to be critical of the Malaysian intermediate CA, but we don't know the full facts surrounding the case, and until we do, I don't think it is fair to speculate on the reasons - and possible failures - surrounding this latest CA problem. However, in spite of prompt action by Firefox and Microsoft, the challenge of ensuring that the Malaysian CA is now removed from all trust stores is going to be very time consuming and troublesome without effective certificate management tools," he added.
The Venafi CEO went on to say that revocation was inevitable after it was discovered that the Digicert Malaysia CA has apparently issued 22 certificates with worst-practice and weak 512-bit encryption keys as well as missing certificate extensions and revocation information. "In their case, they were not following industry best practices around acceptable encryption key strengths," he said. "Without an automated platform and discovery engine, it will be very difficult for organizations to locate and replace all the affected Digicert Malaysia certificates."
"To me," he explained, "this sounds like sloppy administration and a weak approach to audit procedures, but this won't be the first - and probably won't be the last - time that these governance and procedural failures have potentially sunk a business that relies on third-party trust providers for its operations."
SSL and PKI remain solid and reliable technologies. That does not mean that enterprises can relax. They need to be aware that any individual third-party trust provider, like a CA, can be compromised. These are known risks. And, known risks require solid, well-conceived contingency plans." Hudson added.
For more on Venafi: www.venafi.com
For more on the Malaysian Digicert issue: http://bit.ly/rBE8L9
Venafi is the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions. Venafi delivered the first enterprise-class platform to automate the provisioning, discovery, monitoring and management of digital certificates and encryption keys-from the desktop to the datacenter-built specifically for encryption management interoperability across heterogeneous environments. Venafi products reduce the unquantified and unmanaged risks associated with encryption deployments that result in data breaches, security audit failures and unplanned system outages. Venafi also publishes best practices for effective key and certificate management at www.venafi.com/best-practices. Venafi customers include the world's most prestigious Global 2000 organizations in financial services, insurance, high tech, telecommunications, aerospace, healthcare and retail. Venafi is backed by top-tier venture capital funds, including Foundation Capital, Pelion Venture Partners and Origin Partners. For more information, visit www.venafi.com.