CSC Global - Domain name security and threat intelligence
In February 2020 Apple announced that it would only trust one-year digital certificates on its Safari browser. The decision had a domino effect, with Mozilla and Google following suit. Certificate providers announced that they would not issue two-year certificates after 19 August 2020, and from 1 September 2020, only one-year digital certificates would be trusted on Chromebrowser, Safari and Firefox.
As the frequency of replacing certificates increases, so does the risk of failing to replace a vital asset supporting online business operations. If this happens, it will not be possible to process secure transactions on the company’s site, which could cost a brand online business traffic, revenue and consumer trust. As such, it is more important than ever to ensure that a company’s digital certificate portfolio is secure, which can be done by following this four-step advice.
Brands can verify whether they have a full account of their digital certificates by answering these questions:
- How many and what types of certificates do they have?
- With which certificate authority are they registered?
- Who has permission to administrate these certificates?
- When is the renewal date for each certificate?
If a brand does not have an answer to all these questions, it is at risk of having digital certificates that are unaccounted for.
Companies should consolidate digital certificates with one provider and use Certificate Authority Authorisation (CAA) records to best manage certificates and control the permissions for issuing them. Adding CAA records means that only the authorised Certificate Authority on record can issue certificates for the brand domains. If someone tries to register with a different certificate provider, the owner will be sent an alert. Deploying CAA records supports the consolidation of providers, reduces the overall cost of management and greatly lowers the risk of an unexpected expiration, which is infinitely higher when there are multiple providers.
It is important to consider the validation level of the digital certificates and the impact that this has on consumers and their confidence in the security of a company’s sites. Brands should use organisation validation certificates for their vital domains, as these go through a three-step verification process. Extended validation certificates have the most stringent verification criteria but can be more expensive and take longer to process. Both types of certificate are preferable to domain-validated ones, which can be obtained by anyone with a credit card who can be proven to own the domain in question.
The easiest way to deal with the increased frequency of renewals is to automate. Automated certificate monitoring, renewal and replacement will simplify brand owners’ lives and prevent the risk of an unexpected expiration.