Public key infrastructure (PKI) is a system of processes, technologies, and policies for encrypting and signing data. It plays an essential role in authenticating users, servers, devices, software, and digital documents. Yet enterprises are struggling with the growing number of PKI certificates they must manage, and many are considering PKI automation to address this problem, according to a new DigiCert report. The report, "State of PKI Automation 2021," explores how organizations are handling the challenge of PKI certificate management. Expired certificates are a problem because they disable encryption and create an attack surface for hackers.
Let's Encrypt has announced that the free secure certificate program is leaving beta in its push to encrypt 100 percent of the web. The certificate authority (CA) announced on Tuesday that the Let's Encrypt program has left the beta stage of testing after four months, having issued over 1.5 million HTTPS certificates to approximately three million websites worldwide. In a blog post, Let's Encrypt said the project is pushing "much closer" to the overall target of providing free security certificates to every webmaster online. Transport Layer Security (TLS) certificates are implemented on websites to add a layer of encryption and additional security to communication between a user and website server. Without this layer, communication and transactions are more vulnerable to surveillance, drive-by attacks and potentially data theft.
Users around the world have had trouble accessing some HTTPS websites due to an error at GlobalSign, one of the world's largest certificate authorities. As part of a planned exercise, GlobalSign revoked one of its cross-certificates that allowed end-user certificates to chain to alternate root certificates. GlobalSign operates multiple roots, which are trusted in browsers and operating systems by default, and links them together through these cross-certificates. The revocation of such a certificate was interpreted by some browsers and systems also as a revocation of the intermediate certificates that chained back to it. This was not really the case or the company's intention.
Dozens of websites and services reported issues late last month thanks to the expiration of a root certificate provided by Let's Encrypt, one of the largest providers of HTTPS certificates. Let's Encrypt and other researchers had long warned that the IdentTrust DST Root CA X3 would expire on September 30, and many platforms did heed the calls and updated their systems. But a few did not, causing a minor kerfuffle as users questioned why some of their favorite sites were not working as well as they should. Scott Helme, the founder of Security Headers, told ZDNet that he confirmed issues with Palo Alto, Bluecoat, Cisco Umbrella, Catchpoint, Guardian Firewall, Monday.com, PFsense, Google Cloud Monitoring, Azure Application Gateway, OVH, Auth0, Shopify, Xero, QuickBooks, Fortinet, Heroku, Rocket League, InstaPage, Ledger, Netlify and Cloudflare pages, but noted that there may have been more that went unreported.