Certificate Housekeeping

Nearly every application software brings a number of certificates with it. If you ask long-term IT security experts, they typically estimate that between 30 to 3,000 certificates are installed on any given PC. In reality a standard Windows 8.1 system easily has 30,000 and more certificates. MacOS 10.6 contains 2,000 certificates. Even on a Linux system (e.g. UBUNTU 14) there are 800 certificates. Unfortunately, lots of these certificates are outdated, are provided by untrustworthy issuers or use weak cryptography. Some certificates were generated a decade ago and are still in use. Due to the fact that certificates are the trust anchors of each and every digital communication, we think it is time for an enhanced certificate housekeeping.

The January 2015 edition of the report on Cybersecurity by the German Federal Office for Information Security (BSI) stated that malware is increasingly installing faked Root CA (Certification Authority) certificates on systems, which enable a variety of attacks. Especially SSL/TLS (Secure Sockets Layer / Transport Layer Security) man-in-the-middle attacks are then easily possible. Internet banking (for private users but also corporate accountants), industrial espionage, identity theft, customer data leakage – nearly all data in transit are SSL/ TLS-protected and therefore potentially vulnerable. The news of the preinstalled Adware SuperFish on Lenovo laptops confirmed that fact just a month after the BSI report had been published. In this case, a commercial company wants to introduce ad banners based on context in the browser also on encrypted web sites but the company was in fact able to read the complete communication. Up-to-date anti-virus programs will now remove that tool.

You may counter that you have an up-to-date anti-malware strategy in place. However, a certificate is usually not considered as malware. It is not an executable file, it does not contain suspicious content, it does not need special permissions – it is a mathematically valid certificate – just a number, maybe signed by an unauthorized person or organization. No anti-virus-system will recognize it. Nor will firewalls, intrusion detection systems (IDS), or any log or monitoring tool consider certificates as threat.

Let’s have a closer look at the certificates of a standard Windows 8.1 system with some applications installed used for office work and Internet surfing:

  • 30,792 certificates identified on our test system
  • 9,706 are already outdated (dating back to times before installation of Win 8.1, even years before Windows 8 was published) (figure 1)
  • Two of them with MD2 hash, some with MD5, both considered insecure
  • Only six with SHA-384; majority uses SHA-256, both still considered secure
  • Only five use ECDSA, all other using RSA, which is in general not a problem, but
  • One RSA certificate is found with only 512 bit key length, 77 with only 1024 bit, and 3 with 1536 bit key length. For long-term security this is not sufficient. 48 certificates are encrypted with 4096 bit and all other with 2048 bits (figure 2), which is good or at least acceptable.

This means that 31.5% of the certificates are already outdated and nearly 100 use weak cryptography. The analysis of a Windows 7 system shows nearly the same worrying result. On a Windows 10 system we found 55,715 certificates, 19,709 of them are already outdated (35.4%). The other numbers are quite the same.


Figure 1 – Many outdated certificates


Figure 2 – Weak Hash Algorithms used


As you can see, there are a lot of untrustworthy certificates which are installed on PCs in-use around the world – also on servers. Affected are all industries including financial institutions, telecommunication, transportation and logistics, hospitals, power stations or military systems.

The latest LogJam attack shows that weaknesses in cryptography are a real security challenge. To further facilitate attacks by ignoring outdated certificates or utilizing certificates with weak cryptography is careless.

What do users and administrators say, if they are facing the actual situation in their company? According to Dr. Alexander Löw, CEO and founder of Data-Warehouse, system administrators are surprised about the amount of self-signed certificates inside the enterprise network or the number of “unknown” self-issued certificates. The measurable reduction of these by automation of certificate management increases of security. Security and compliance officers recognize auditable technical trust relations, and reliable and compliant automated management of X.509 certificates. Data-Warehouse has developed a solution to identify and manage all certificates of the various issuers on all devices connected to an organization’s network.

Based on the experience of the Global Cybersecurity consulting practice, many organizations manage certificates issued by their own PKI (public-key-infrastructure) or by other self-managed systems (e.g. remote access solutions or certain applications). However, rarely are organizations even aware that the lack of a more general certificate management results is a significant information security risk.

In summary, management of your self-generated certificates by a PKI is not enough. You should manage all certificates installed on all your IT systems. The right management policy is the key factor here. The certificate management system should be able to cover all certificates of all issuers and manage them in a consistent way based on a company-specific policy (e.g. deactivate all certificates with RSA keys less than 2048 bit) to ensure consistency.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: