Although IT security professionals are troubled by future certificate authority (CA) incidents, very few have the tools needed to switch CAs quickly.
The finding is significant given that, last year, researchers affiliated with Google decided that Symantec, and their affiliated CAs, had mis-issued thousands of Transport Layer Security (TLS) certificates. As a result, Chrome researchers announced a formal plan to remove trust from Symantec-issued certificates. The first deadline is April 17, 2018, when Chrome 66 and Mozilla will distrust Symantec TLS certificates issued prior to June 1, 2016.
A study from Dimensional Research, which included responses from 1,100 IT security professionals, found that just 15% of respondents believe that Google's decision to distrust Symantec certificates is a one-time event. However, if they were affected by a major CA event, only 23% said they are completely confident in their ability to quickly find and replace all of their impacted certificates.
"CAs have a very difficult job and they deal with many complexities that are outside their control," said Mike Dodson, global head of solution architects for Venafi, which sponsored the report. "Every CA is exposed to risks; and CA compromises and errors can leave organizations scrambling to find and replace many certificates in a short amount of time. Organizations need greater control over the CAs they trust, but they also must acknowledge that they'll never have full control. For example, browsers play a big role in how we trust CAs. Chrome and Mozilla recently decided they would no longer trust certificates issued by Symantec, and now many organizations must replace these certificates before a set deadline."
Additional findings indicate that security professionals may be over-estimating their ability to respond to a CA incident: 61% of the respondents say they have a plan in place that would allow them to replace all Symantec certificates by the upcoming deadlines, but only 58% have an accurate inventory that includes the IP address of all devices where certificates that chain up to a Symantec root were installed.
Similarly, nearly two-thirds (62%) are confident they don't have certificates from unauthorized CAs, but only half have controls in place to detect this. Also, three-quarters (74%) believe they can find and replace all certificates affected by a CA compromise quickly, but only 8% have automated processes in place.