How IT security certificates can become untrustworthy--an e-tail nightmare for Christmas.

Author:Hudson, Jeffrey

Early on Wednesday morning July 2010 an eager customer wanting to start the day by making sure that his Aunt May would get her annual birthday surprise was stopped in his tracks courtesy of a "This Connection is Untrusted" message due to an expired security certificate. Target may be one of the most recent example of retailers inadvertently letting their certificates expire, but it's not alone.

Such lapses are becoming almost weekly e-tail occurrences. The phone calls from journalists chasing a story are often the first time that hapless organisations hear the news. As the holiday season bears down on us expired security certificates are a nightmare that all retailers fear.

The problem is easy enough to let happen, which is the real issue. The nature of the certificates forces them to have strict expiration dates, which means that a two or three year old certificate is likely to expire during the tenure of someone other than the person who originally arranged it. If certificates allowed auto-renewal, it would defeat their purpose, which is to assure that there really is someone at home and that someone is who he or she claims to be. What if a High Street chain abandoned a particular site and no one bothered to cancel the certificate? It would be continually renewed, even though the trusted brand was no longer involved. What if cyber thieves then took over that abandoned site and tried to set up a fake store using that retailer's credibility and reputation? It can be done and happens all the time - all because of expired certificates. It is the same thinking behind a strict limit on prescription renewals, even for patients who are placed on medicine for life. The intent is to force the patient to see a doctor and to hopefully identify new symptoms or side-effects that would otherwise go undetected.

That said, there should be transparent techniques to make sure a retailer's team knows when a certificate is about to expire and, almost as important, gets an extremely loud message when the certificate has actually expired. Aunt May deserves a present on her birthday after all.

Instead, that fateful Wednesday, this is what her hapless nephew Peter encountered: "This Connection is Untrusted. You have asked your browser to connect securely to, but we can't confirm that your connection is secure. Normally, when you try to connect securely, sites will present trusted identification to prove that | you are going to the right place...

To continue reading