Wednesday morning May 12, 2010 was not a good day for buying a birthday present from Target.com’s gift-card site. One eager buyer wanting to start the day by ensuring that Aunt May got her annual birthday surprise was stopped in his tracks courtesy of a “This Connection is Untrusted” message due to an expired digital security certificate on their website.
There were certainly many online buyers thwarted that day in their efforts to purchase items. Target may be the most recent example of retailers inadvertently letting their certificates expire, but it’s far from alone. Such lapses are becoming an almost weekly e-tail occurrence. As the holiday season bears down on us, expired security certificates and the associated lost revenue and potential for brand damage are a nightmare that all retailers fear.
The problem is easy enough to let happen, which is the real issue. The nature of SSL certificates that secure our online communication and transactions forces them to have strict expiration dates, which means that a one or two year old certificate is likely to expire during the tenure of someone other than the person who originally procured it.
If these certificates allowed auto-renewal, it would defeat their purpose, which is to assure that there really is someone at home and that someone is who he or she claims to be. What if a High Street chain abandoned a particular site and no one bothered to cancel the certificate? It would be continually renewed, even though the trusted brand was no longer involved. What if cyber thieves then took over that abandoned site and tried to set up a fake store using that retailer’s credibility and reputation? It can be done and happens all the time – all because of expired and poorly managed digital certificates and encryption keys.
It is the same thinking behind a strict limit on prescription renewals, even for patients who are placed on medicine for life. The intent is to force the patient to see a doctor and to hopefully identify new symptoms or side-effects that would otherwise go undetected.
That said, there should be transparent techniques to make sure a retailer’s team knows when a digital certificate is about to expire and, almost as important, gets an extremely loud message when the certificate has actually expired. Aunt May deserves a present on her birthday after all. Just as online retailers deserve to be able to manage the lifecycle of encryption assets and quantify the security and operational risks of unmanaged and growing encryption deployments.
That fateful Wednesday, this is what Aunt May’s hapless nephew Peter encountered: “This Connection is Untrusted. You have asked your browser to connect securely to redcard.target.com, but we can’t confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site’s identity can’t be verified.”
What makes the Target situation interesting is not that the certificate was allowed to expire – unfortunately a fairly common happening – but that the chain was still unaware of it when contacted on that Wednesday morning by the media. The problem was fixed a short time later and P45 termination notices for the responsible party (presumably) were issued.
Representatives of Target did not respond to requests for comment from journalists, nor did representatives of Verizon Business, which owns Cybertrust, the firm that handles Target’s certificates. It is not as if Target didn’t get enough warnings from Verisign. They alert retailers of imminent expirations in many different ways. First, customers have a portal where they can control their account. Logging into that portal displays many alert messages. The fatal flaw here is that a retailer would almost certainly have no reason to log in unless it had already remembered about the renewal need. But it is still a method any corporate IT security department should be aware of.
Verisign also sends out e-mail notices 90 days before expiration and then again at 30 days before expiration of certificates and those e-mails become increasingly frequent and frantic as the expiration date approaches. Verisign also allocates designated salespeople to major accounts who are specially trained to watch these accounts for these types of expirations. These services are not cheap for the typical corporate user so the sales force has an incentive to prevent an expiration problem.
Most digital certificate vendors follow similar procedures. E-mail messages, though, are easy to ignore, especially when they are sent frequently. Imagine how easy it would be for an e-Commerce IT worker who is overseeing dozens of sites to ignore or overlook them out of sheer volume, idleness or mischief. It’s equally likely the person who purchased the certificate originally, and to whom the notifications are sent, is now in a new position or even a new company. There obviously needs to be a better way to avoid these expirations, especially as organisations are deploying more certificates.
The reality is that digital certificates are being used more heavily to protect data and secure network communications inside the firewall than outside to secure web browsing. Trusted SSL (issued from a third-party, trusted root) is just the tip of the iceberg. Certificate-based encryption deployments have exploded within large organisations in recent years, where nearly every IT system and application relies on digital certificates for trusted communications. In fact, companies have leveraged certificates more frequently for device and user authentication in an effort to connect systems and users to the infrastructure securely. The result is that large enterprises are faced with the prospect of deploying and managing thousands – and, in some cases, tens of thousands – of certificates and encryption keys.
The primary drivers for this rapid expansion are machine-to-machine authentication and encryption over the wire. Both are being driven by the inherent progression of the IT infrastructure within Global 2000 organisations to more cloud based, virtualized and disparate IT environments. Encryption (all aspects, privacy, authentication, message integrity) has become an essential and integral fabric of the IT infrastructure. This fabric really is about trust; and trust without control is meaningless (it’s like wearing your seatbelt some of the time). Robust, enterprise certificate and key management (ECKM) solutions must follow.
There are global financial institutions who have reported that, over a six month period, they had experienced over one hundred hours of production outages from twenty five individual events, directly related to expired certificates and/or failed certificate management processes and this was in spite of having over a hundred engineers involved in the certificate management processes. The result of this is loss of revenue, impact on brand reputation and impact on service level agreements. This is not an unusual problem – it is shared with the largest organisations on the planet. Without the ability to manage encryption broadly, risk increases, IT won’t scale, operations will fail, systems will go down, compliance won’t happen and reputations will stumble.
Organisations that fail to deploy and manage encryption properly expose themselves to unnecessary risk, critical data loss and unexpected downtime. So what is the solution? There are security platforms that provide IT automation functions including discovery, monitoring, workflow automation, provisioning, auditing, secure credential storage and others. The key is to implement a product which automates digital certificate management and encryption key management processes, including discovery, monitoring, alerts, lifecycle management and automated application configuration. This helps organisations remove the risks associated with unmanaged encryption deployments that result in unplanned system outages, data breaches and security audit failures. It also helps little old ladies like Aunt May get their birthday and Christmas presents on time.