Today, Keyfactor released new research with proprietary data from its soon-to-launch Command Risk Intelligence capabilities in Keyfactor Command. The research, titled “Breaking Digital Trust: Keyfactor Uncovers Risks in 18% of Certificates Used Online” uncovers an array of shocking common risks in online certificates.
The most surprising finding? There are risks in 18% of ALL certificates used online.
Why This Matters
Let’s take a step back for a second.
There are billions of devices in the world today, and like humans, devices require identification. However, unlike humans, device IDs come in the form of cryptographic keys and digital certificates that need to be properly managed and secured. This is no easy feat. One organization alone could have hundreds of thousands of digital certificates across its infrastructure.
Certificates are the foundation of digital trust and machine identity management, ensuring trust across networks, applications, and cloud environments. With Keyfactor’s latest research revealing risks across many online digital certificates, managing and securing machine identities, usually under the responsibility of CISOs and security teams, became that much harder.
The risks uncovered can lead to security gaps, compliance failures, and increased exposure to cyber threats.
The Risks Keyfactor Uncovered
The Keyfactor research team analyzed 500,000 online certificates to uncover common certificate defects that could impact organizations and their corresponding security teams. The uncovered certificate defects can broadly fit into four types of risks: cryptographic issues compromising an individual key; chain validation failures that prevent a certificate’s use for its intended purpose; policy violations that indicate a misconfigured Certificate Authority (CA); and trust hierarchy errors that compromise the whole PKI.
Across the various types of certificate risks, the Keyfactor research team uncovered several defects:
-
- Certificates with Negative Serial Numbers: One in every 27 certificates did not have a positive serial number.
- Certificates with Long Lifespans: One in every 13 certificates has a lifespan of over 2 years.
- Certificates with Large File Size: By default, OpenSSL allocates just 100kB for an entire certificate chain, and larger chains cannot be validated on systems operating with this default.
- No Key Usage: One in every 29 certificates had no key usage specified. Certificates that do not explicitly include a key usage field are interpreted as usable for all available purposes.
- CA Certificate without Basic Constraints: One in every 32 certificates was not issued by a CA with Basic Constraints.
By the Numbers: Why This Is a Big Deal
While numbers like “one in every 29 certificates” may not sound off immediate alarms at first glance, the sample number from Keyfactor’s research can be generalized across 8 billion known certificates online.
That means millions of certificates have critical vulnerabilities that can lead to security gaps, compliance failures, and increased exposure to cyber threats. While some of these risks may seem minor, the potential impacts are not.
How CISOs and Security Teams Can Address These Risks
These findings highlight a critical need for CISOs and security teams to continuously discover certificates, automate lifecycle management, and enforce strict policies.
Without proactive visibility and control, organizations risk allowing weak certificates to undermine their broader security posture. Addressing these certificate vulnerabilities isn’t just about compliance—it’s about maintaining trust in the digital ecosystem and preventing breaches before they happen.
Customers of Keyfactor Command PKIaaS and CLAaaS are already in great hands when it comes to managing and securing certificates. But, with the impending launch of Command Risk Intelligence, they will gain unmatched visibility into the specific certificate risks, before they become an issue – equipping CISOs and security teams with a proactive approach to certificate management. The excitement doesn’t stop there – each risk is given a score enabling CISOs and security teams to prioritize the most concerning risks pertinent to their organization, helping them manage their time efficiently.
Keyfactor Command Risk Intelligence is the world’s first certificate risk management solution, creating a new approach to managing certificates based on their risk. You’re invited to read the full research report here and of course, dive into how Keyfactor specifically uncovered the data by reading our new product blog.
