This age of remote work and the Internet of Things (IoT) has seen security companies tirelessly preach about digital trust – because it’s a never-ending battle! To win the battle, you must become one with your PKI and bring balance to your organization.
Unfortunately, the dark side of PKI can corrupt your security program and leave the rebellion – err, your organization – vulnerable to attack.
Luckily, we’ve developed a new guide (see more about the eBook below!) to expose the dark side of PKI and set you forth on your journey to become a PKI Jedi.
PKI visibility and control
TLS certificates are critical for data encryption and secure connections, but just one expired or misconfigured certificate can cause system failures and disrupt essential services.
Like when the Bank of England’s CHAPS system went offline for 91 minutes due to an expired certificate. Or when SpaceX’s Starlink—a constellation of satellites orbiting the globe – went down when a single ground station certificate expired, leaving millions around the world without connectivity.
Keep in mind that those outages happened in top organizations with skilled tech teams, so smaller organizations are likely to have downtimes that last for more than one hour. In fact, Keyfactor’s 2024 PKI & Digital Trust report reveals that certificate outages cause an average of 5 hours of downtime – even when the cause is detected fast.
Beyond downtime, certificate outages caused by compromised certificates can lead to far worse outcomes. To curb these risks, Google and Apple have suggested shortening certificate validity to 90 and 45 days, respectively. While these suggestions are promising, they won’t be up for a vote until 2025 and 2027. Even then, the outcome remains uncertain, so it’s unwise to depend solely on their timelines for your security.
If you want control over the security of your certificates, here’s the first rule: skip the manual processes like spreadsheets and custom scripts. They won’t scale as your certificates multiply, making outages inevitable.
Instead:
- Centralize your certificate inventory across servers, clients, code-signing, and trust roots.
- Track expiry dates, locations, and ownership across all CAs, network endpoints, cloud services, CT logs, and certificate stores.
- Use tools like Keyfactor Command to automate certificate discovery and lifecycle management.
Streamlined security across teams
Rogue certificates are a serious security threat – like a Sith lord in disguise with plans to one day seize control of the Republic.
Similarly, rogue certificates are quiet threats that can lead to costly outages. In fact, 42% of organizations have made eliminating rogue certificates a top priority.
These rogue certificates usually arise when:
- Employees rush through the certificate creation process without following proper procedures.
- Application owners bypass security protocols to obtain certificates on their own (self-signed certificates)
- Security teams lack visibility or control over how certificates are used by servers and applications.
- A compromised certificate is used to secure multiple subdomains (wildcard certificates)
To protect your organization from rogue certificates, here’s what to do:
- Work with application and operations teams to understand their needs and provide them with policy-compliant certificates.
- Limit the use of self-signed and wildcard certificates across your organization.
- Consolidate PKI and CA tools to reduce costs and complexity.
- Make it easy for teams to obtain policy-compliant certificates
- Implement a PKI solution like Keyfactor Command to support cloud and container-based deployments.
Securing code-signing
The software supply chain is one of the biggest threats to digital trust, with code-signing abuse as the most common attack vector. Over the past few years, we’ve seen high-profile attacks where attackers breach signing environments and infect code directly, slipping malware past defenses. This is partly because IT teams store code-signing keys on workstations (53%) and build servers (52%) instead of using secure HSMs.
An example of code-signing attack vectors in action is CVE-2023-51634, where improper HTTPS certificate validation on NETGEAR RAX30 routers allowed attackers to compromise downloaded data.
Another example of a code-signing attack was when AnyDesk’s code-signing keys were stolen, causing a 48-hour maintenance window and forcing users to update their software in order to prevent unauthorized access.
To help curb code-signing attacks, the CA/B forum now requires code-signing certificate private keys to be stored in HSMs.
But that’s not enough. To further protect your organization from code-signing attacks:
- Enforce the least privilege through key and signing access controls.
- Automate and integrate secure signing into existing workflows using tools like SignServer.
- Generate a Software Bill of Materials (SBOM) at signing to ensure trust and transparency.
- Timestamp your signed code with a reliable Time Stamp Authority (TSA).
- Use multi-factor authentication across the software supply chain.
Securing SSH keys
SSH (Secure Shell) protocol is essential for secure administrative tasks like remote logins and file transfers. However, many IT teams mistakenly believe that using passwords or key pairs for SSH authentication is foolproof, thereby leaving organizations vulnerable to attack.
While SSH keys are powerful security tools, if they fall into the wrong hands, they can be used to move undetected across systems. Unlike certificates, SSH keys don’t expire, meaning once compromised, they can be used indefinitely. Plus, since they are often shared or copied, they can grant attackers excessive privileges.
Common attack vectors are usually caused by forgotten or dormant keys from temporary access, shared keys within IT teams, weak keys found in source code or public repositories, etc. A real-world example is the SSH-Snake malware, discovered in 2024, which exploited SSH credentials to spread across networks, impacting 36% of US-based companies.
To keep your SSH keys secure:
- Disable password-based authentication that’s vulnerable to brute-force attacks.
- Create an inventory of key pairs and map trust relationships.
- Monitor key usage, age, strength, and associated accounts.
- Implement key rotation policies and remove weak or dormant keys.
- Use short-lived SSH certificates for more secure authentication.
Note: Carry out these remediation tips with caution because hastily removing or rotating SSH keys can lead to loss of access and service outages.
Quantum is coming
Quantum computers hold promise for fields like medicine and climate science, but they also pose a threat to the encryption algorithms protecting PKI certificates. Quantum computing could allow attackers with advanced resources to brute force even our most secure cryptographic algorithms.
You might think, “Well, it’s not going to manifest anytime soon,” but government agencies warn that malicious actors could be harvesting your encryption data now, planning to decrypt it once quantum computers are fully developed. Plus, new technology has been known to advance slowly until it accelerates unexpectedly. In fact, Gartner predicts that by 2029, quantum computing will be fully developed.
Let’s not forget that the transition from no-quantum to post-quantum cryptography is complex and could take many years to master. Additionally, new mandates and regulations are sure to come as governments and standards bodies push for quantum adoption.
To prepare for the quantum era:
- Build a comprehensive cryptographic inventory, including keys and certificates.
- Talk to vendors, including PKI and HSM providers, to ensure they’re ready for quantum-safe security.
- Invest in PKI tools, like EJBCA, that are quantum-ready.
- Prepare your systems by adopting automated processes for certificate renewal and provisioning.
Looking Ahead: Explore the eBook
The dark side of digital trust goes beyond what we’ve covered here, and so do the solutions. Check out our exciting eBook to get all the information you need to strengthen your digital trust and protect your organization’s infrastructure.
Dive in and explore – we hope you enjoy this guide!
