EV certs dead by automation

September 23, 2018
2 minute read

Troy Hunt wrote a longer blog post On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and.Let’s Encrypt. Of course he’s right in pointing out that the effectiveness of EV certs is entirely dependent on people recognising what they mean and actually adapting their behaviour accordingly. It’s also an interesting read on the marketing stunts of commercial CAs which I believe don’t really fit to the purpose of CAs providing trust.

However what I found most interesting were the remarks that people abandon Extended Validation Certificates since they pose issues in automation. To me this seems to be a nice example of a well intended security technology (who would argue against increasing trust in certificates?) that simply isn’t going to fit into today’s infrastructure environment.

This seems to be a general pattern:

Now it would be easy enough to complain that “again” security lost but in reality I think it rather shows that security folks

That’s the pattern we need to overcome!

Beside the fact that the short certificate lifetime that Let’s Encrypt offers actually increases security it’s the automation it offers that really increases security. However that automation isn’t something that we security folks control. It’s mandatory that we align with operations folks and strive to automate security processes as much as we can using the existing tooling used by other teams.

Share on:

Using SSH Agent on Windows

November 10, 2021
2 minute read
security software

Attribution in Cyber Security

October 22, 2021
3 minute read

Adapt security to cloud-native environments

January 24, 2021
4 minute read
security cloud
comments powered by Disqus