20 Jul, 2020

Stay on Top of TLS Certificate Proliferation with the Quttera API

As your network expands, so do the number of TLS certificates that need attention. The Quttera API allows you to scan your networks, automate TLS certificate management, and even detect open ports.
Thanks to free and self-signed TLS certificates, it costs an organization little to nothing to get all the certificates it needs. The only problem is that you can easily end up with so many that you can't keep track of them all. It's not unusual for a network to have thousands or even tens of thousands of certificates. Managing them all manually becomes impossible. Your organization could have hundreds of expired or misconfigured certificates and not know it.

The Quttera SSL API, which is available to Quttera partners, lets you quickly set up the checking you need to ensure all of your installed certificates are valid and properly functioning.
Proliferation of Certificates
TLS certificates (also known as SSL certificates) and the HTTPS protocol keep data transfers safe. It costs nothing to create a self-signed one or to get a free one from Let's Encrypt, so there's no reason to hold back. It isn't just websites that benefit from them. Any server, including test systems and ones for internal use, is more secure with TLS protection. Private cloud services need certificates.

IoT devices are small, inexpensive, and often used in huge numbers. Making their communication secure requires a TLS certificate for each one, and they have to be kept up to date.

TLS protection helps client devices as well, giving them a hard-to-break method of authentication. A server can be set up to communicate only with clients that have a certificate signed by the company's certificate authority. The client recognizes the server, and the server recognizes the client. Anyone without authentication is locked out. Every client device that is set up this way needs a TLS certificate.

The number of certificates on a network can grow to a staggering level - more than the IT department realizes. A survey by Venafi queried CIOs worldwide and found that 93% had at least 10,000 active certificates on their networks. The percentage with 50,000 certificates or more was 40%. Keeping track of that many with a spreadsheet is plainly impossible. The respondents said the number of certificates they manage is only going to increase.

A large organization has many computing devices with control spread out over multiple departments. No single group knows about all of them. But without a proper inventory, certificates will inevitably slip between the cracks. No one will know about them, or everyone will think someone else is responsible. NIST has recognized this as a security issue and recommends formal, enterprise-wide TLS certificate management programs.

Kevin Bocek, the vice president of security strategy and threat intelligence at Venafi, said, "The only way to eliminate these risks is to discover, continuously monitor and automate the lifecycle of all TLS certificates across the entire enterprise network—and this includes short-lived certificates that are used in the cloud, virtual and DevOps environments."

The Risks of Untracked Certificates
When you have thousands of certificates, how do you track which ones have expired or are about to? If you use Let's Encrypt certificates, they have to be renewed every 90 days. That means a lot of renewing, all the time.

Expired certificates interfere with access. If they're on public websites, users will see warning messages, and many won't proceed past them. That means a significant loss in business. If they're on devices that communicate without human involvement, the communication could stop. It could be a long time before anyone notices.

Configuration errors are another problem. If a TLS certificate doesn't match the IP address or subdomain for which it's intended, the same problems happen. If the certificate authority's chain of trust breaks, it's the same story. Different clients aren't equally rigorous in their checks, so a server might work when tested but not in a live configuration.

A certificate is trustworthy only as long as its private key is protected. A breach in a system that holds TLS certificates can lead to the theft of any private keys stored on it. A criminal can use a stolen private key and a copy of the certificate to set up a man-in-the-middle attack. Hardware security modules and reverse proxies give the keys stronger protection than direct storage on the server, but you have to know what keys you have before you can protect them.

The more certificates a network has, the greater the attack surface for such exploits. If the keys on a system may have been compromised, it's imperative to revoke their corresponding certificates and replace them with updated ones.

Paradoxically, TLS encryption creates some risks. The information in an encrypted connection is opaque until it's decrypted, so firewalls can't provide any content-based protection on encrypted content. WAFs and filters have to sit behind the point of decryption to analyze incoming packets. It's important to know all the places they have to be, and that means knowing where all the active certificates are.
Automating Certificate Management
When the number of certificates gets into four and five digits, automated management is the only way to go. They need to be renewed and installed automatically on a regular schedule. The Quttera SSL API provides the backbone of your TLS certificate management. It lets you scan your network as often as you want, discovering all TLS certificates and reporting any that are self-signed, expired, or improperly configured. You can use it to automate certificate management and report any issues that need attention. The SSL API is part of the Quttera Malware Scanner REST API.

To set it up, you need a list of all the internal IP addresses in your network. Your results will be only as complete as the list, so be sure it includes your cloud servers, IoT devices, and any other obscure corners of your network.

Other features in the Quttera API include port scanning to detect open ports. Knowing all the ports your servers have exposed helps to make sure you aren't running unmanaged services that you weren't aware of.

Becoming a Quttera partner gives you access to these APIs for cloud and on-premise security management. As a partner, you can provide input for new arrangements that will let us better serve your needs.

Are You Concerned about TLS Certificate Security Risks? (Venafi)
Securing Web Transactions: TLS Server Certificate Management (NIST)