Image
Services Will Adopt PKI to Comply
Let’s Encrypt and Google have paved the way for ‘HTTPS Everywhere.’ If you can get a free DV SSL Certificate, there really isn’t an excuse for not having one. Over 68 percent of Chrome traffic on both Android and Windows is now using HTTPS. Google now plans to mark all non-HTTPS websites as ‘Not Secure’ by July 2018. This boost and easy availability has paved the way for industry regulators to force HTTPS in their industries, too. Just a few examples of recent regulations involving the need for PKI (SSL and otherwise) include: For the first time in history, organizations in all industries, independent of size, are being forced to recognize the need for data security. Data, after all, is the new currency, and protecting it doesn’t just mean protecting consumers and customers; it means protecting a brand’s reputation and a business’ value. Most companies are in the middle of a huge shift from paper to digital transactions. Some are undergoing full digital transformation programs that see the implementation of processes and technologies to streamline services and automate much of what used to be manual processes. In all of this hype, regulators have discovered the need to implement policies around the encryption and protection of data as it travels around an organization. PKI is one tool helping organizations comply with those policies.PKI for the IoT
Let’s use the example of a hospital. Devices are being created today that encompass the “Internet of Medical Things.” These devices help to save lives by extracting data in real time from patients, allowing practitioners to spot anything happening quickly. Sensors can be attached to patients in a hospital that will alert doctors when vital signs are down. Once a patient is released, a doctor can prescribe medication that has trackers on it, so the doctor knows that the patient has been taking their medication. Even everyday medical devices like pacemakers can be given an IoT upgrade allowing them to send vital information to patients and their doctors that will alert them of a heart attack or stroke. Manufacturers of IoT devices are becoming educated on the importance of implementing security into their products. The technology is available, but up until now, most consumers would buy IoT products without security in mind. As security-conscious shopping habits start appearing, manufacturers are forced to invest in security to keep their products ahead in the market. Governments are developing smart cities, smart grids, smart medical devices, and smart cars that will replace our entire infrastructure one day. We need to make sure that every ‘thing’ that talks to another ‘thing’ using the internet can be trusted, or we could end up in a position where people are put at risk because a hacker has compromised a device. We have too much to lose if IoT ecosystems do not employ encryption, authentication and data integrity.HTTPS Will Really Be Everywhere
As we already mentioned, Chrome has shown that over 68 percent of their traffic on Android and Windows is now encrypted. This isn’t the same on all browsers, of course. If you think about the exponential growth of encryption, it took 20 years to get 40 percent of the web encrypted, and then in one year after that, it jumped to 50 percent; now in January 2018, we are at around 68 percent. That’s incredible growth! As Google moves to mark non-HTTPS websites as ‘Not Secure’ in the browser, website owners will have to jump on HTTPS just to keep their visibility in the search engines and browsers. By doing this, Google is educating the masses on cybersecurity and ensuring that people think encryption first. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure.” In Chrome 66, due to be released April 16, 2018, Chrome will also start distrusting any Symantec certificates issued before June 1, 2016. By the release of Chrome 70, all Symantec SSL certificates issued prior to December 1, 2017, will become untrusted by Google Chrome. It appears that a large chunk of the web is still using Symantec or its child companies (GeoTrust, Verisign, and RapidSSL) certificates. TechTarget estimates of the top 1 million sites in Alexa, approximately 103,000, are still using Symantec roots. Roughly 11,000 certificates will be removed in the Chrome 66 release and a further 91,000 with Chrome 70. When this happens, a large portion of the web will appear as ‘Not Secure.’ Even more reason for people to be reminded of the importance of SSL.Validation Will Evolve
Recently, we heard news from a security researcher that Code Signing Certificates are being sold on the internet using stolen information from legitimately registered companies that likely have no idea their credentials are being used in that way. These certificates have proved to be extremely effective in malware obfuscation. It’s not uncommon for security researchers to discover a flaw in the system, (I mean, this is what they are there for.) but because several news stories about malicious use of certificates are all coalescing, industry experts are refocusing the next year on analyzing and adjusting current validation methods. The CA/B Forum have announced the Validation Summit that many CAs and Browsers will be attending to discuss potential issues with current validation methods and propose a series of improvements. I don’t think this will be the last we hear about validation methods this year. CAs should be looking to be as strict as possible with validation (even for DV SSL Certificates), while our security folks should be working on ways to create new and improved methods that will improve the safety of the internet as a whole.The Race for a Quantum Safe Algorithm
Are we getting close to a quantum computer that will crack current encryption methods? I have read a number of articles that appear to say we are, but of that I’m not so certain. There are others that say quantum computing is further off than we think it is. The truth is, making quantum computing work is difficult. But that isn’t to say that we shouldn’t worry about what effect it will have on encryption. Supercomputers still exist, and there are still applications for quantum safe algorithms out there! The NSA and NIST are reacting to the public’s fears by putting a call out to cryptographers for a quantum safe algorithm. Will the next algorithm be code-based, lattice-based, or hash-based? I am under the personal belief that we are a long way away from having to worry about quantum computing beating current computing methods. At this stage, we still aren’t sure what quantum computing will look like, how fast it will be, or how quickly it will break current encryption. So, how do we know what algorithm will beat it? The main takeaway that I want to impart is that PKI doesn’t die when quantum computing is born. PKI simply evolves. We create new algorithms to beat the processing power in accordance with Moore’s Law, and we’ve still been able to develop algorithms faster than they need to be introduced. Look at SHA-3 – the reason you aren’t seeing widespread use yet is because SHA-2 still works perfectly fine.Image
