The Coronavirus can't be stopped and the implications are quite clear: the next 3-6 months will see large numbers of people off work, and we can already see a huge increase in remote working—which depends entirely on the IT infrastructure working. As a recent Let's Encrypt incident showed, HTTPS represents the ultimate risk to remote working.
Governments are engaged in a balancing act of shifting the peak infection rate, investing in vaccine research, and protecting the most vulnerable people. IT managers start to face critical business dilemmas. Are we going to survive when 30% of our workforce is out sick for 4 weeks or more; when the system administrators can’t come to data centers? Are you sure you have everything under control and systems can run for 4-6 weeks without physical access?
Remote access, just like everything else today, depends on certificate renewals.
Remote access, just like everything else today, depends on certificate renewals
Most of the things can wait - vulnerability patching, upgrades - but several recent incidents showed that certificate management will not wait. When a single certificate expires, it can take down the whole of cellular / mobile networks, remote access systems, or our revenue-generating business applications.
Incident 1: The U.S. Government Shutdown
Last year, the US government shut down for 35 days. Online systems were switched off to show messages like “due to the government shutdown this service is not available”. However, in a couple of weeks' time, we couldn’t even read the message as online portals didn’t renew their certificates and browsers stopped trusting them.
Incident 2: Let’s Encrypt Revokes Three Million Certificates
Last week, the Let’s Encrypt certification authority had to renew up to 3,000,000 certificates due to a bug in its validation process. All that because of about 500 certificates that made use of the feature with the bug. They eventually stalled revocations because they feared a global impact on the internet. You may remember that the largest such “recall” impacted 23,000 certificates and everyone talked about it.
Incident 3: 30 Million People Lost Cell Phone Access for a Day
In December 2018, 30 million people lost their cell phone connectivity. Ericsson said an expired software certificate caused the outage that left tens of millions in the UK unable to call or text from their mobile phones, nor use 4G connections, on Thursday.
... downtime was due to an expired certificate in a version of its management software used by European telcos to provide services to subscribers.
Improving Security Means Total Dependence on Certificates
What it shows is that the whole of the internet is now absolutely dependent on something that "improves security".
Certificates are like security badges to get into the gate at work. If yours is expired, you won’t be getting in. You have to come to me every 3 months to get a new one. Now imagine the gateway is access to all of the internet. Uptime for business apps, remote desktops, e-commerce sites, all precariously balanced on whether your certificates are properly managed.
The main difference from internet certificates is that there are many companies who sell certificates. All companies, however, face three big issues:
- skills shortage
- the complexity of HTTPS and network encryption
Which brings us back to this current pandemic of Covid-19 and its huge impact on the skills shortage, which in turn will significantly lower the visibility of certificate expiration. How many of you have always-available, up-to-date information about your certificates and their expirations? How many of you depend on your sysadmins and what they have in their heads or what chances to land in their personal mailboxes? How many of you know what certificates are needed for your core business applications? And for your remote access and collaboration tools?
Source: AppViewX survey of BlackHat 2019 participants
These questions are important at all times but the current situation exacerbates the situation and we all need to focus on the visibility of issues that will have to be dealt within the next 4 weeks or so. Whether we like it or not, SSL certificates have hard expiration dates and they often silently kill IT applications without warning, at any time of the day.
Keep your certificates from sabotaging your remote work environment. Try our instant domain audit.
Or you can sign up and manage all of your certificates with KeyChest. Hopefully, this pandemic will end up milder than we forecast but we all should be ready for a reasonable worst-case scenario.