In an increasingly digital world, digital certificates become the identity of a particular enterprise. Who trusts this digital identity? Almost every entity that is connected to the internet, including browsers and their underlying operating systems. Basically, certificates are like our passports; they are widely accepted as proof of identity. A digital (or “identity”) certificate is also used to securely exchange information over the internet using the entity’s public key. Due to this, digital certificates have garnered a significant amount of trust over the years, and cyber criminals are misusing this trust.

In fact, stealing digital certificates and selling them has become quite a lucrative job. Some even sell for up to $1,200 each on the dark web, making them more expensive than handguns, counterfeit passports, and stolen credit cards, according to research by the Cyber Security Research Institute.1

Why are stolen digital certificates so valuable?

Unlike humans, machines cannot visually identify, validate and establish trust with other machines. They need a system such as a digital certificate that can help them establish trust on their behalf anywhere in the world. This makes these certificates perhaps the most valuable assets a hacker attempting to infiltrate an enterprise could acquire.  

There are different types of digital certificates that are used for different purposes. A stolen SSL/TLS certificate can impersonate a legitimate website and capture valuable data from its customers. Every month, more than 1.4 million websites are added using stolen SSL/TLS certificates.2 Even the most well-known websites (like Facebook and Google) are spoofed every day.

Apart from SSL/TLS certificates, cyber criminals can also use stolen client certificates to impersonate a client for successful man-in-the-middle attacks. These attacks became more common after the infamous Stuxnet attack was uncovered. Usually, an enterprise’s end-point protection is the last line of defense against hackers. Attackers can compromise that protection either by disabling it and blocking its digital certificate (as seen with CertLock3) or by tricking the system into installing malware with a trusted certificate.

Making enterprises even more vulnerable to these attacks is the fact that the compromised certificates do not necessarily need to be valid. Hackers can utilize expired certificates, too. This is due to the way many products authenticate resource-intensive signature checks. By focusing on reducing the stress on a user’s resources, hackers take the opportunity to evade detection using a simple and inexpensive method.

With rising numbers of phishing, malware and ransomware schemes plaguing enterprises worldwide, are we willingly putting ourselves at risk by blindly trusting digital certificates?

In many circumstances, the answer is most certainly “yes.”  

The technology itself is not the blame here. Instead, we must take the necessary steps to counter the misuse of this technology.

Like it or not, digital certificates are the face of an enterprise online. Therefore, it is the user’s responsibility to take the security measures necessary to protect them.

Conclusion

There are two major things that drive the value of any entity. One is – rarity, and the other is – usefulness. For hackers, the value of a digital certificate is currently driven by its usefulness in spoofing trusted sites and installing malware worldwide. However, with the efficient deployment of competent measures such as CAA and certificate transparency to counter the misuse of digital certificates, their value will soon be driven by their rarity. This, in turn, will drive up the cost of stolen certificates and will make it nearly impossible and much too expensive to launch a certificate-based attack. However, until we get there, enterprises must maintain complete control over their digital certificates. Not just for misuse, but to prevent expensive certificate expiry outages as well.

As the rate of digital certificate adoption increases4, using cumbersome, manual processes (like spreadsheets) for managing these certificates immediately places them on the hacker’s radar. Instead, enterprises can remain diligent in managing their digital certificates by employing periodic discovery, enforcing strict policies and controlling the certificate enrollment process.

1http://www.computerweekly.com/news/450429177/Researchers-uncover-strong-trade-in-code-signing-certificates

2http://www.zdnet.com/article/1-4-million-phishing-websites-are-created-every-month-heres-who-the-scammers-are-pretending-to-be/

3https://www.appviewx.com/hackers-striking-heart-machine-identities-digital-certificates/

4https://letsencrypt.org/stats/