On Saturday at the First IEEE Conference
on Trust, Privacy, and Security in Intelligent Systems and Applications in Los Angeles, Calfornia, a team of researchers from Keyfactor presented their findings into the security posture of digital certificates, ZDNet reported
In response, Michael Barragry, operations lead and security consultant at edgescan,
As is generally the case with cryptographic flaws, this issue is due to a fault in the implementation rather than any weakness with the underlying mathematics. Public key certificates are one of the key pieces of infrastructure that enable various devices and servers to securely identify and trust each other. If a malicious actor can successfully spoof a certificate for a particular device, they can essentially masquerade as that device. Depending on the trust chain that it lies within, multiple further attacks may be possible.
Vendors need to be conscious of the potential upstream impact of all design decisions, as in this case it seems like an innocuous shortcut around random number generation has given rise to a much more serious flaw.
End-users should ensure that all devices in their infrastructure are kept patched and updated with the latest firmware. Devices of higher criticality should use multi-factor authentication for an additional layer of security.