Earlier this year, Mexican restaurant chain, Guzman y Gomez received a reputational black eye when it was revealed inadequate planning and testing took place prior to the launch of a new app and promotion that allowed customers placing orders via the app to be eligible for a free burrito.
Not only did demand far exceed expectations, placing a significant and unexpected load on backend systems, but enterprising customers were able to circumvent built-in security checks by changing their account details and purchasing inexpensive SIM cards to register multiple times - ostensibly securing burritos for the cost of a SIM card (at a fraction of the cost of a burrito). After the company corrected this loophole, it was later revealed that the business’ SSL certificates had also expired.
SSL certificates form the backbone of encryption, the technology used to establish trust between two IP-connected systems. Encryption is critical cornerstone of security and privacy for all online transactions. The SSL protocol is ubiquitous, and is used for secure browsing, email, instant messaging and voice-over-IP (VoIP) applications. Though Guzman y Gomez’ SSL issue was quickly fixed, the vital role keys and certificates play in maintaining trust was exposed.
Maintaining visibility over the crytographic keys and certificates that underpin the secure connection between customers and business infrastructure is vital – visitors accessing secure services via a web connection will be notified by their browser if a certificate has expired or is invalid, leading informed customers to go elsewhere. Worse yet, expired or compromised certificates customers’ personal data may be exposed it attackers are able to collect the credential and session ID for the secure connection and gain access to users’systems.
While the maintenance of cryptographic certificates is a concern for every business, an additional risk factor is the expiration of the antiquated SHA-1 standard. From January 1 next year, SHA-1 – one of the most popular cryptographic hash functions in use since 1995 –modern browsers, including Internet Explorer and Google Chrome, will begin flagging pages that use this technology with security errors. The outdated hash function was designed for a far different web environment than we have in 2016, and is vulnerable to exploitation and attacks that risk theft of customer data.
From the start of 2017, browsers will notify visitors that payment and password pages secure with SHA 1cannot be trusted. This has the potential to lead to reputational damage and an erosion of trust from consumers, who will in turn be inclined to seek more secure competitors.
Businesses relying on SSL to offer secure services to customers and partners will need to migrate to the far more robust SHA-2 standard in coming months, but the migration can prove quite a challenge for businesses with sprawling, complex IT systems. Many organisations lack of visibility into where the keys and certificates that underpin encryption are located within their infrastructure and have no way to automate the maintenance and renewal of certificates and keys to ensure they remain current and up to date. Businesses must conduct regular audits of their keys and certificates and automate the process as much as possible to not only track risk factors, but also effectively manage the lifecycle of their security infrastructure to maintain the trust of customers and partners alike.
With the clock ticking towards 2017, any organisation conducting business online needs to take heed and audit and upgrade their keys and certificates before it’s too late. After all, reputations can take years to establish, yet mere moments to be dashed.