Business not prepared for shift to 90-day TLS certificates

A new survey of 800 security decision-makers across the US, UK, Germany and France reveals that 76 percent of security leaders recognize the pressing need to move to shorter certificate lifespans to improve security.

However, the study from machine identity specialist Venafi, also shows many feel unprepared to take action, with 77 percent saying the shift to 90-day certificates will mean more outages are inevitable.

It finds 81 percent of security leaders believe Google's proposed plans to shorten TLS certificate lifespans from 398 days to 90 days will amplify existing challenges they have around managing certificates. An overwhelming 94 percent of survey respondents are concerned about the impact of the changes, with nearly three-quarters (73 percent) saying it could cause 'chaos' and a further 75 percent saying it could even make them less secure.

The recent announcement by Google that public TLS certificates issued by Certificate Authority (CA) Entrust after October 31, 2024 will no longer be accepted in the Chrome browser is just the latest example of disruption in the CA market. 88 percent of security leaders report their organization has been impacted by CA revocations. Of these, 45 percent had to deploy extra resources to deal with these certificates, 38 percent suffered a security incident and 31 percent had a certificate-related outage.

The report also highlights concerns around the threat of quantum computing. 64 percent of security leaders say they 'dread the day' the board asks about their migration plans. 78 percent say if a quantum computer capable of breaking encryption is built, they will 'deal with it then,' with 60 percent believing that quantum computing doesn't present a risk to their business today or in the future. Moreover, 67 percent dismiss the issue, stating it has become a 'hype-pocalypse.'

"We recently lived through the world’s greatest IT outage -- the CrowdStrike update outage was an error and unexpected. Security teams know they will be hit with major risks when new outages occur from what they love to hate: more expiring certificates," says Kevin Bocek, chief innovation officer at Venafi. "Shifting to shorter certificate lifecycles significantly reduces these risks and is a necessary move. However, this can also bring more chaos for security teams -- and it's a double whammy with Entrust being distrusted in Chrome. There aren't just canaries in the coal mine; there are groundhogs in every cloud, virtual machine and Kubernetes cluster. It's not just one software update vendor; it's the entire Internet as we know it."

The full report is available on the Venafi site.

Image credit: funtap/depositphotos.com