Last year, Google proposed shortening the time frame that TLS certificates are valid for, from 398 days to 90 days.
This plan is still in the proposal phase, but to learn about what companies need to do to prepare for these shorter certificate durations, we interviewed Sitaram Iyer, VP of emerging technologies at Venafi, on the latest episode of our podcast, Get With IT.
Here is an edited and abridged version of that conversation:
What exactly is a TLS certificate?
If you think about how organizations operate and run their enterprise software, there could be applications, servers, container technologies, or cloud services. These are all things that organizations use across their enterprise, whether in their data center, across their cloud providers, wherever they are. The point at which TLS certs become important is they are essentially used as a way of identifying what these servers are, what these applications are, what these workloads are, what these devices are. They create that trustworthy connection between them and everything that interacts between them.
So a TLS cert essentially is that critical asset for all organizations because it provides that foundation of trust and enables a secure communication channel for all of these workloads. That’s why it’s a critical asset that organizations need to manage, run and take care of.
Why is Google wanting to shorten the time that they are valid for?
TLS certificates have a finite lifespan, and in the last few years, we are seeing the lifespan of the TLS cert getting shorter and shorter. So even though we are hearing a lot about this news from Google, the shorter duration of a certificate is not uncommon. It’s been fairly common for the majority of the people who operate in the cloud and use something like Let’s Encrypt, which has always issued 90-day certs. So it’s been something that’s been around for a while.
What Google has done is shared their vision of making 90-day certificates an industry standard. Obviously, the standard itself gets set by CA/Browser, and while Google works with CA/Browser and all of the certificate authorities, it is important to note that Chrome has around 60% of the market share. So from the perspective of where TLS certs are used in the websites, Google has majority share.
The primary reason why you would think of shorter duration certificates is to provide that enhanced security. If you think about the advantages that you get, one is obviously when these TLS certificates are of a longer duration, it opens up a lot of challenges around the blast radius, and also challenges around the potential compromise and misuse. Shorter certificates provide the ability to ensure that you know if there is a compromise or if there is a misuse of a certificate, that it is for a shorter period of time. When a certificate is frequently renewed, it gives you better security control in terms of how it’s rolled out and managed.
Currently this is still in the proposal stage, and there’s no date of when Google would switch over, but if and when this does happen, what will be the impact on IT teams and organizations?
The impact is different for different organizations. Many organizations have a process in place where they say, oh, we’ve got these 13-month certificates across our enterprise, and we have about 1000, 2000, 3000, or even 100,000 certificates that are lying down there. We have a process in place where the owners of the application, before the certificate expires, will create a ticket and that ticket will land in the PKI administrator’s inbox, and they’ll fulfill a certificate request, and then they send it. So in the case of a single certificate, it’s a one time affair for somebody to go through this process, and it’s pretty manual as you can imagine.
If this changes to a 90-day certificate, you’re potentially looking at doing this process six times per year, and as a large number of organizations have to deal with various different application owners, the challenge of manageability becomes exponential in some ways, especially for those organizations who don’t have proper automation capabilities in place.
So in terms of impact, the ones who are going to have to deal with a larger impact are the ones who don’t have solid automation in place. But in cases where there are good automation mechanisms in place, it doesn’t matter whether a certificate is 90 days or 30 days, or even one hour.
What negative implications might this change have in terms of security?
It’s a good question, and it goes back to the same point that I made about the compromise and the misuse of certificates. If not managed well — if you don’t have a good amount of visibility and the ability to understand how and where these certificates are used — the large number of certificates and the lack of visibility around them will make this challenge even more exponential. So the security concern is more around the fact that if there is a compromise you have to deal with how you rotate, how you manage, and how you deal with those things. Even in the case of a 90 day certificate, you could still be dealing with the same kind of challenges that you could deal with in a one hour certificate or one year certificate.
So I think those are some of the security concerns that we see as we sort of think about what happens if the duration is reduced, and the fact that you don’t have good automation, good visibility, and all of those things. It’s a combination of things that makes it much more challenging from a lifecycle perspective and security perspective. It’s not necessarily just the duration itself, but it’s duration when not properly handled by organizations in terms of visibility, continuous monitoring.
The other piece is many of the organizations do not have a good set of policies. When we think about certificates, we also think about governance. Having a solid governance model in place also helps address many of the security concerns. If you don’t have those security policies or a governance model in place, even with the 90-day certificates, you would still be running into challenges where a potential intermediate certificate is misused to issue certificates for something that they shouldn’t be issuing for, or somebody would be issuing non-compliant certificates or using things like key sizes that are not conforming to the organization’s policies.
There’s a whole lot of things that could go wrong exponentially and at a massive scale as people adopt different cloud native technologies that can be addressed with the proper governance model. To summarize, I think it’s not just the the duration of the certificate itself that’s a security concern, but lack of a lot of aspects around lifecycle management, lack of appropriate governance policies, lack of monitoring, lack of visibility, and lack of understanding where these certificates are used, and in which endpoints. Not having those things makes the security concerns bigger for organizations.