Web Site Authenticity in Question?

Certification alone is not enough to ensure a trustworthy site.

In these wild and woolly Web times, corporations have been adopting digital certificates en masse to provide strong encryption of confidential data. However, management complexities and manual processes leave lots of room for certificates to expire in place—and thus hedge the publics trust in a Web site.

Digital certificates provide third-party verification of a Web site and its parent company. The issuing authority takes precautions to establish the true identity of a site and company, as well as an individuals authority to request certificates on behalf of said company or site.

With organizations relying on an ever-increasing number of certificates to provide site integrity and encryption services—not only to public-facing Web sites but also to intranet and corporate Web applications—the effort to track and maintain hundreds or thousands of certificates can be daunting.

During the course of research for our review of Venafi Inc.s AutoCert Manager 4.1, eWEEK Labs spoke (on the condition of anonymity) with administrators from companies large and small to assess their certificate management processes and gauge their administrative pain.

/zimages/2/28571.gifClick here to read the review of AutoCert Manager 4.1.

We found that companies tracking processes can range from waiting for warning e-mails from the issuing CA (certificate authority) to dedicating an engineer to tracking and updating certificates with the help of a giant spreadsheet. It was obvious in all cases, however, that certificate management—which affects the publics perception of a companys brand and reputation—relies largely on manual detection and data entry.

When a certificate expires, site visitors browsers will display a notification warning that the certificate is no longer valid. The savvy user may understand that encryption still works but that the issuing authority no longer validates the Web site and can no longer guarantee its authenticity. Not all users will be that savvy, however.

In an effort to keep support costs low, businesses increasingly rely on Web-based services to support their customers. But if one server in a Web farm has an expired certificate in situ, and 5 percent of your customers get the expiration warning and decide to conduct their business over the phone—or elsewhere—support costs could increase sharply, or the customers business could be lost altogether.

Third-party CAs have recognized the complications involved in maintaining SSL (Secure Sockets Layer) certificates in a large organization and offer management services for an additional cost. These services, including VeriSign Inc.s Managed PKI for SSL or Entrust Inc.s Certificate Management Service Premium Edition, provide Web administrators with tools to streamline the certificate request, renewal and revocation processes.

The services also offer increased alerting and reporting options to track certificates throughout their life cycle.

While simplifying management for their own certificates, these services are ultimately proprietary. Many organizations may use multiple CAs—for example, for internal versus public Web applications or for applications maintained by different support teams. Administering multiple CAs will thus result in multiple management systems and increased administrative overhead.

Improved detection and reporting tools will help drastically reduce the incidence of certificate expiration on live servers—without relying solely on reports from third-party vendors. With streamlined and automated tools to generate certificates across multiple authorities, administrators will also have the flexibility not only to renew existing certificates but also to generate new certificates (and underlying key pairs) more often—reducing the exposure time of digital keys to potential cracking.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.