Wildcard SSL certificates may be more convenient and easier to manage than individual certificates, but using Wildcard to get SSL on the cheap ignores serious security questions. A huge market has sprung up around Wildcard, but businesses should weigh convenience with risk in making any decision about certificates.
An SSL certificate provides a way of certifying or validating that the communications channel you’re using is secure and therefore the information being passed over it is not likely to have been tampered with, said James Quin, senior research analyst with Info-Tech Research Group.
“If I’m contacting a bank and I want to start doing some online banking, the first thing that’s going to happen is I get transferred to a secure Web site,” he said. “For me to trust the bank, I want them to give me a certificate.”
Before Wildcard, if you ran multiple Web sites on one server and wanted to demonstrate the trust of each of those sites, you’d require individual certificates. A Wildcard cert allows you to certify multiple domains tied to a single IP address, so if you have one physical device with multiple server instances on it, you can verify that all of those domains are valid.
“You need a certificate, otherwise you can’t submit sensitive information securely,” said Claudiu Popa, president and CSO of Informatica Corp. “The bottom line is you don’t want your users to get any error messages because that scares the crap out of people.”
The functionality of a certificate, he said, is two-fold. First, it identifies the site you’re connecting to so your browser feels warm and fuzzy about exchanging sensitive information. Second, it provides your browser with an encryption key so the connection can take place.
It’s in your best interest to cover as many options as possible, he said, since there are at least two or three ways to access a site – some people don’t type in “www” while others just type in the company name and expect to be redirected. “If you restrict yourself to just one, you may be forcing users to see that error message just by accident,” said Popa. “An individual certificate only works on one possible spelling of your Web site and a Wildcard certificate works on all possible sub-domains of your domain name.” If you don’t want to risk putting an error message in front of customers, then a Wildcard could make sense.
“Where Wildcard certs have value is for anyone who is hosting multiple servers or server instances on one platform,” said Quin. “Why this is becoming valuable at this point in time is because of the growing popularity of virtualization – as I virtualize I put more instances on one physical device and therefore I can now validate the trust of all of those instances with a single certificate.”
But SSL is not about providing security; rather, it’s about validating trust. While it creates a secure channel of communications between the user and end-point server, it has nothing to do with security on the server itself.
“The fact is anyone can get an SSL certificate, so a lot of these phishing sites will leverage that,” said Popa. “Certificate providers will sell secure certificates to just about anybody.” And even if they didn’t, certs are relatively easy to hijack.
“Once you gain control of a Web server, you can make that SSL certificate work for you,” he said. If a hacker breaks into an e-commerce site with a digital certificate, the hacker can then establish a secure session with a visitor’s browser. “Hackers can now forge that encrypted connection simply by virtue of hijacking an SSL certificate,” he said, “and of course it’s easier to do with a Wildcard certificate because you can create a sub-domain for your hijacked site.”
The more certificates you have, the smaller the impact of a security breach. “In the grand scheme of things we’re not crazy about Wildcard SSL,” said Tim Callan, director of product marketing with VeriSign, which provides security services to protect online interactions.
“If I put an individual certificate on every server in my system that is secured with SSL and swapped those certificates out on an annual basis, then that is the maximum diffusion of the vulnerability,” he said. “The more you get away from that, the more risk you’re undergoing in a PKI scenario.” In other words, if you use the same certificate on 50 servers, in the event you do have a security breach, you’re not out one server – you’re out 50 servers. “The ultimate example of this is Wildcard,” said Callan.
What’s often driving the decision to go with Wildcard is convenience. Most businesses don’t want to go through the authentication process whenever they need a certificate – and they might need one in an awful hurry.
“That is easily solved with today’s managed certificate solutions,” said Callan. “If you run certs in volume, it’s easy to have some certs sitting in your back pocket that you could take and deploy at a moment’s notice.”
Because the ability to zero in on the specifics of a cert is compromised somewhat in the Wildcard architecture, the industry consortium Certification Authority Browser Forum has disallowed Wildcard by standard. “The industry agrees that Wildcards have their place,” said Callan, “but it’s important to recognize what that place is.”