Troy Hunt wrote a longer blog post On The (Perceived) Value of EV Certs, Commercial CAs, Phishing and.Let’s Encrypt. Of course he’s right in pointing out that the effectiveness of EV certs is entirely dependent on people recognising what they mean and actually adapting their behaviour accordingly. It’s also an interesting read on the marketing stunts of commercial CAs which I believe don’t really fit to the purpose of CAs providing trust.
However what I found most interesting were the remarks that people abandon Extended Validation Certificates since they pose issues in automation. To me this seems to be a nice example of a well intended security technology (who would argue against increasing trust in certificates?) that simply isn’t going to fit into today’s infrastructure environment.
This seems to be a general pattern:
- Security demands something that requires manual processes.
- This gets into they way of current practises (infrastructure as code, automation)
- Security requirement gets ignored or circumvented
Now it would be easy enough to complain that “again” security lost but in reality I think it rather shows that security folks
- didn’t adapt to changes in the environment
- were disconnected from Ops teams
That’s the pattern we need to overcome!
Beside the fact that the short certificate lifetime that Let’s Encrypt offers actually increases security it’s the automation it offers that really increases security. However that automation isn’t something that we security folks control. It’s mandatory that we align with operations folks and strive to automate security processes as much as we can using the existing tooling used by other teams.