A wildcard certificate (like SSL/TLS) is a public key certificate that can protect several subdomains inside a domain and is usually acquired from a trustworthy public Certificate Authority (CA).
Multiple subdomains for your website can benefit your business, but they can also be challenging to manage. Multiple SSL/TLS certificates to secure those subdomains increase their complexity, but a wildcard certificate can efficiently resolve this issue.
Compared to managing individual certificates for your subdomains, a Wildcard certificate can save you time and money.
The domain name is prefixed by an asterisk and a period in wildcard notation. Wildcards are frequently used in Secure Socket Layer (SSL) certificates to extend SSL encryption to subdomains. A traditional SSL certificate is only valid for a single domain, such as www.domain.com. A *.domain.com wildcard certificate will also protect cloud.domain.com, shop.domain.com, mobile.domain.com, and other domains.
Why should you use Wildcard certificates?
Wildcard certificates are easier to use as they allow organizations to use a single certificate for all subdomains.
The following are some advantages of using wildcard certificates:
Secure any number of subdomains:
Without having different SSL certificates for each subdomain, a single wildcard SSL certificate can cover as many subdomains as you want.
Straightforward Certificate Administration:
Individual SSL certificates must be deployed and appropriately managed to secure an increasing number of public-facing domains, cloud workloads, and devices. But by using a single wildcard certificate, you can manage unlimited domains that make certificate management simpler.
Cost-cutting
A wildcard certificate costs more than an ordinary SSL certificate, but it becomes a cost-effective alternative compared to the overall cost of securing all of your subdomains, each with their own certificate.
Fast and Flexible Implementation:
A wildcard certificate is a great way to build new sites on new subdomains that your existing certificate can cover. There’s no need to wait for a new SSL certificate, which saves your organization time and speeds up your time to market.
Tailored Encryption Services
We assess, strategize & implement encryption strategies and solutions.
When a wildcard certificate is reused across multiple subdomains hosted on various servers, there are additional security concerns for the protections offered by SSL/TLS certificates. In the event of a breach of one of the servers, adversaries will compromise the certificate. If this is the case, the confidentiality and integrity of traffic to each site where the certificate is used is jeopardized. An attacker who obtains the certificate would be able to decrypt, read, modify, and re-encrypt traffic. This is likely to result in the exposure of sensitive information and further targeted attacks.
Wildcard certificates are frequently used to cover all domains with the same registered root, making administration straightforward. However, because the same private key is used across numerous systems, the freedom that comes with using wildcard certificates also comes with severe security risks:
Access To Private Keys:
If the private key of a wildcard certificate gets compromised, the hacker can impersonate any domain for the wildcard certificate.
Fake Certificates
Attackers can fool a certificate authority (CA) into issuing a wildcard certificate for a bogus organization. Once the attacker gets the fictitious company’s wildcard certificates, they can set up subdomains and phishing sites.
Certificate Management
All sub-domains will require a new certificate if the wildcard certificate gets revoked.
Web Server Security
If one server or sub-domain gets hacked, all sub-domains may be hacked as well.
A single point of failure:
The private key of a wildcard certificate is a single point of a total compromise. If that key is compromised, all secure connections to all servers and subdomains listed in the certificate will be compromised.
Attackers can easily misuse wildcard certificates if an organization doesn’t have adequate security, control, or monitoring.
Strategy to consider when using Wildcard Certificates
Limit the use of wildcard certificates to a specific purpose for better security control.
A detailed discussion with the security team and leadership, about the purpose of using a wildcard certificate.
Understand the security risks.
Will this decision be more efficient for your organization?
Are you planning to use a wildcard certificate to save time?
Are you trying to save money?
Keep an accurate and up-to-date inventory of certificates in your environment which includes documenting key length, hash algorithms, certificate expiry, certificate locations, and the certificate owner.
Ensure that private keys are stored and protected according to the industry’s best practices (i.e., using a certified HSM).
Automate certificate renewal, revocation, and provisioning processes to prevent unexpected expirations and outages.
Conclusion
No organization wants to put their brand name into a situation where it is a piece of cake for the attackers to leak sensitive information. Although wildcard certificates offer certain benefits, you should make sure you are using them consciously and strategically.
Secure file transfer protocol is a transfer protocol in which secure shell encryption is used to ensure a high level of security when sending and receiving files, used to securely transmit data between a local system and a remote end server, in the form of audio, video, and files. It is based on the File Transfer Protocol (FTP) and contains Secure Shell (SSH) security components. SFTP supports a variety of authentication mechanisms to provide authentication, including user IDs and passwords, SSH keys, and combinations of the two. What makes it different from other protocols is the use of encryption and authentication methods, which is exceptionally mandatory as file transfers through the internet can consist of users’ personal and financial information.
What is SFTP and its Working
SFTP is also known as SSH File Transfer Protocol, Secure File Transfer Protocol, and Secret File Transfer Protocol. It works on Network Layer Protocol and ensures a secure data exchange between client-server architecture over a stable network connection. It was designed by Internet Engineering Task Force (IETF).
Some of the information a system needs to configure for SFTP Client:
Server Hostname
Provide the server’s hostname or IP address.
Port Name
The client’s TCP port of choice when connecting
Ex: Port no – 22 or other
Security Protocol
Choose the protocol you wish to use to create a secure connection.
Ex: SFTP, FTP, SCP, or other
Username
Username by which the client wants to connect to the server
Ex: Username: Admin
Password
The password assigned to the user.
Ex: ******
FIG: SSH Session for exchange of file and Communication
To avoid password sniffing and revealing critical information in plain text, SFTP transfers files securely via SSH and encrypted FTP instructions. SFTP also safeguards against man-in-the-middle attacks since the server must authorize the client.
Tailored Encryption Services
We assess, strategize & implement encryption strategies and solutions.
SFTP can be used anywhere file security is needed. One of the primary uses is Compliance with requirements such as the federal Health Insurance Portability and Accessibility Act (HIPAA), which oversees protected health information. Even any third-party worker associated with Hospital or Healthcare must keep its information confidential, and that’s when SFTP is very useful. SFTP is one of the numerous solutions for securing the data during transfer, ensuring that hackers do not gain access to it and that the organization does not inadvertently violate HIPAA if that law applies. Other data security standards like CCPA or GDPR can also be met using SFTP.
SFTP Encryption
Encryption has a significant role in Secure File Transfer Protocol. It protects data from hackers or any unauthorized person by converting it into an unreadable format so that no one can access it or temper it during the transmission process. After it reaches its destination, it is again converted into a readable format by authorized users using the key provided to the user. The SSH Encryption method is used during the file transfer to secure the process. It can be done in various ways:
One of the ways is to encrypt the network before commencing the file transfer and generate the password to log on to the network using the automatically generated pairs of private and public keys.
Another way is to utilize the manually generated private and public keys to perform the authentication procedure, allowing the user to log in to the network without a password.
Applications of SFTP:
Mainly used to share sensitive data between two sources securely, it is used to undertake audits and transmit data and reports between the company and regulatory organizations.
SFTP provides us with functionalities to create, import, export, and delete files and directories. This helps in quick access of data from anywhere.
By the use of an updated authentication process, secret file-sharing can also take place.
Advantages of SFTP
There are various advantages of SFTP as a service
Data Security : As dealing with sensitive and personal data, data security is a big question nowadays. You want your files to be fully secured, SFTP provides various ways of Secure Data Transfer. SSH File Transfer requires the use of keys or usernames and passwords so that no intruder can get access to it.
No Hardware Needed : Using SFTP doesn’t require any extra utilities like servers or infrastructure; once you enter into SFTP services, all facilities are immediately available for use.
Accessibility : From an Accessibility point of view, SFTP provides a single location to store all of its business files and gives you complete control and flexibility over it.
Speed and efficient
Reduce Costs
Conclusion
We have discussed what SFTP is; Secure file transfer protocol is a transfer protocol in which secure shell encryption ensures a high level of security when sending and receiving files. Then we listed the information a system needs to configure an SFTP client. Uses of SFTP include Compliance with requirements such as the federal Health Insurance Portability and Accessibility Act (HIPAA), which oversees protected health information. The SSH Encryption method is used during the file transfer to secure the process, and it can be done in various ways. Then, we discussed the Applications and Advantages of SFTP, making our discussion complete.
This particular banking institution is highly recognized in the US for personal banking, wealth management, and corporate finance. It has a reputation for solid data security measures and employs advanced encryption to protect client information as well as assets.
Despite its strengths in enhanced cybersecurity, there exist some shortcomings when it comes to certificate management. There is a noted deficiency in its ability to manage digital certificates crucial for secure communication. This shortcoming of the banking institution has sometimes led to service disruptions and vulnerabilities in data security. This highlights an area needing improvement to enhance its trustworthiness and reliability in the banking sector. The organization is actively seeking solutions to refine its process of certificate management to uphold its commitment to the security of the consumer and service excellence.
Challenges
Inefficient Certificate Discovery
Certificate discovery refers to the systematic process of identifying and cataloging SSL/TLS certificates deployed across an organization’s infrastructure. These certificates can be scattered throughout various domains, servers, devices, and cloud services, making it challenging for organizations to track them manually.
An inefficient certificate discovery can lead to a deteriorating security posture. Certificate expirations are one of the leading causes of certificate-related outages, which leads to disruptions in secure connections and potential service downtime. It may also lead to compliance issues with industry standards and regulations.
Certificate Outages
A certificate outage, also known as a certificate failure, refers to an SSL/TLS certificate becoming invalid, expired, or revoked, rendering it unusable for establishing secure connections. During such an outage, websites and online services relying on these certificates may experience disruptions, leaving them vulnerable to cyberattacks and data breaches. This type of incident can lead to a domino effect of problems, affecting user trust, reputation, and financial well-being of the impacted entities.
Complicated Audits
A lack of real-time visibility and reporting of every certificate across their on-prem and multi-cloud landscape led to complicated audits, which can be a major issue for their certificate management systems.
Weak Crypto-Agility
Cryptographic agility can be considered an approach to the solution required to meet the demands of current and future data security. A weak crypto-agility means a lack of cryptography diversification, ultimately leading to security challenges the organization faces.
Certificate Management
Prevent certificate outages, streamline IT operations, and achieve agility with our certificate management solution.
Deployed CertSecure Manager for managing certificates across multi-cloud environments and Kubernetes clusters. This eliminated the issue of certificate discovery and tracking systems along with the manual certificate revocation process.
The CertSecure Manager allowed administrators to define policies that adhered to the organization’s business policies. This mitigated the tracking of private keys and certificate usage while monitoring certificate expiration and renewal processes.
Certsecure Manager allowed users to manage and monitor certificate requests, mitigated the manual processing of certificate requests for IoT devices and Kubernetes clusters, and simplified the manual process linked to certificate distribution.
The tool also provided granular access control for end-to-end certificate lifecycle management based on user or role. This enabled auditing on the keysize and signing algorithm used by the Certificates.
CertSecure Manager also provided visibility into the Kubernetes environment. This eliminated the risks associated with the lack of visibility on the PKIs, which were multiple PKIs running in the environment.
Impact
Deployed CertSecure Manager for managing certificates across multi-cloud environments and Kubernetes clusters. This eliminated the issue of certificate discovery and tracking systems along with the manual certificate revocation process.
Certsecure Manager Allowed administrators to define policies adhering to the organization’s business policies. This gave granular access to the control system based on user or role.
It even allowed users to manage and monitor certificate requests, leading to customizable workflows.
CertSecure Manager provided granular access control for end-to-end certificate lifecycle management based on user or role and provided visibility into the Kubernetes environment. It gave extensive reporting functionalities to provide visibility into certificate usage and enterprise security posture.
Conclusion
Implementing CertSecure Manager at this banking institution has markedly transformed its approach to certificate management, particularly addressing the critical issue of certificate discovery. By integrating CertSecure Manager, the bank has effectively centralized the management of SSL/TLS certificates across its diverse and sprawling digital infrastructure, including multi-cloud environments and Kubernetes clusters. This strategic move has mitigated the risks associated with expired or unmonitored certificates, streamlined compliance audits, and enhanced the institution’s cryptographic agility.
Significantly, the solution’s robust policy definition capabilities have allowed the bank to enforce stringent security protocols while maintaining flexibility in certificate management, which aligns with the institution’s dynamic needs. The granular access control and real-time visibility provided by CertSecure Manager have enhanced the security posture by ensuring that all certificates are consistently monitored, thus reducing the incidence of outages and vulnerabilities.
Moreover, the tool’s comprehensive reporting functionalities have empowered the institution with actionable insights into certificate usage and overall enterprise security health. In conclusion, the CertSecure Manager has not only resolved the immediate challenges of certificate discovery and management but has also equipped banking institutions with the tools to anticipate and respond efficiently to future cybersecurity challenges.
This is a location in the form of URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use Hypertext Transfer Protocol (HTTP), LDAP, or File.
Importance
With the help of CDP, an application or a site-visitor can retrieve the Certificate Revocation List (CRL) thereby determining whether the digital certificate is trustworthy or not. This can protect them from visiting or accessing fraudulent sites and from man-in-the-middle attacks. In the absence of CRL, they might be vulnerable to data-theft, malware, fraud, financial loss etc.
Defining CRL Distribution Points
You can define a CA’s CDP URLs by using the certutil command to edit the CRLPublicationURLs registry entry. The command allows you to designate one or more URLs as well as which CRL publication options are enabled for each URL.
For example, consider the following certutil command that defines the CDP extension:
This command defines three separate URLs. The URL order is important when implementing Windows clients because it specifies the order in which the certificate chaining engine searches URLs when retrieving an updated CRL version. Likewise, the number that precedes each URL represents the enabled options for each URL.
1:C:Windowssystem32CertSrvCertEnroll%3%8%9.crl : This URL ensures that the CRL file is copied to the local file system every time the CRL is automatically or manually published.
10:ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 : This URL enables two values: 2 to designate the CRL’s publication point in AD DS and 8 to include the CDP URL in all CA-issued certificates.
2:http://pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl : This URL ensures that the URL pki.EncryptionConsulting.com/CertEnroll/%3%8%9.crl is included in the CDP extension of all issued certificates.
Tailored Encryption Services
We assess, strategize & implement encryption strategies and solutions.
The CRL distribution points (CDP) is a X.509 version 3 certificate extension which identifies the location of the Certificate Revocation List (CRL) from which the revocation of the requested certificate can be checked.
The application that processes the certificate can get the location of the CRL from this extension, download the CRL and thereafter validate the revocation status of the requested certificate.
Protecting your online environment in today’s world has never been more necessary. COVID-19 has caused many organizations to rethink how they secure their network and Internet of Things (IoT) devices within that network. To begin the process of protecting IoT devices and Personal Computers in your network, you can start with Secure Boot. Much like the code signing process, Secure Boot verifies that the signatures and keys used by the boot hardware and the OS software are all valid and have not been tampered with.
What is Secure Boot exactly?
Secure Boot works by authenticating the code and boot images used by the operating system are authenticated against the hardware before being allowed the ability to boot-up the system. The reason they are authenticated against the hardware is due to the fact that the hardware is pre-configured to authenticate code using trusted credentials. This ensures that the images and code have not been tampered with or changed by threat actors attempting to utilize malware to infect your network or devices in your network. As you can tell, this makes enabling Secure Boot in devices on a network significant, as it thwarts many common malware attacks.
When dealing with malicious threat actors, many malware attacks will change Operating System code, or install a new boot loader, so that when a system is rebooted, their malware will be launched and spread throughout the device. Enabling Secure Boot will ensure this does not occur, as the bootloader will not have a valid key and signature matching the hardware, thus Secure Boot will stop the boot-up process. If malware got through, in the case that Secure Boot was not enabled, then an organization could face massive repercussions, such as losing millions of dollars or vital information that they would otherwise not want public.
How does Secure Boot work?
The process behind Secure Boot is not as complicated as you may think it would be. When a device with Secure Boot enabled is turned on, the first step in the process is that the CPU Internal Bootloader verifies the authenticity of the bootloader. This is done by comparing the signature generated by the manufacturer’s private key to the public key embedded in the device. When working with code signing and Secure Boot, an asymmetric encryption process is used for validation of manufacturer and software authenticity.
The process of asymmetric encryption works by first generating two mathematically linked keys, a public key and a private key. The private key is kept secret, known only to the keys’ creator, and the public key is known to anyone. Since these keys are mathematically linked, a piece of software can be signed by the private key and that signature can be verified by the public key. This identifies that the software in question was created by the key owner and has not been tampered with.
Tailored Encryption Services
We assess, strategize & implement encryption strategies and solutions.
The next step in the Secure Boot process is verifying the authenticity of the Operating System and any applications that are begun at boot. Using the same process as the first step, the embedded public key is used to verify the Operating System and applications are valid. Once all these different parts of the boot-up process are verified for authenticity, the device can be booted-up and run normally. If, at any step in this process, the Operating System, bootloader, or any applications are found to not match the embedded public key, then they the boot-up process stops, and remediation steps are taken.
Roadblocks for Secure Boot
Since Secure Boot utilizes a process very similar to code signing, they face many of the same problems. The most pressing issue is protection of the asymmetric signing keys that are used in the Secure Boot process. I mentioned previously that part of the Secure Boot process is that the public key of the public/private key pair is embedded in the software, and what I mean by this is that there is a certificate that was generated through the use of that public key. This digital certificate, much like a code signing certificate, contains the public key’s information and is signed by the private key, thus allowing for the matching of key information between the public and private keys. Protecting these keys is the first major issue many organizations may face.
If the private key used to sign the digital certificate is compromised by a malicious threat actor, they can then use that certificate to pass bootloaders or Operating System code through the Secure Boot process successfully, thus allowing them to infect users with malware. Protecting these keys properly can be done with either hardware or software based key storage methods.
Software based storage is not the strongest method of protecting encryption keys, as the keys can still be taken from the storage method. Hardware based key storage methods, like hardware security modules, protect keys with a much stronger method, as compared to software-based key storage methods. Hardware Security Modules, or HSMs, are tamper-evident and tamper-proof, thus protecting encryption keys much more reliably.
Other ways to protect data, other than Secure Boot, is by setting strong encryption policies within your organization. These policies provide a uniformity across your organization, thus allowing the different teams within your organization to follow similar protection methods. Additionally, implementing Intruder Protection Systems (IPS) and Intruder Detection Systems (IDS), securing your code at the source, and using organizations like Encryption Consulting to identify gaps in your security systems are other ways to protect data in your organization.
Conclusion
At the end of the day, enabling Secure Boot on all of the devices in your organization is a great way to start defending your network from malicious threat actors. Secure Boot provides a built-in method of checking your Operating System and bootloader for malicious code, thus allowing you to feel secure in the device you are using. Other methods, like setting up IPS and IDS or having a third-party assess your security plans, can work hand-in-hand with Secure Boot to provide you with the best possible security systems for your home or enterprise network. To learn more about how Encryption Consulting can help, visit www.encryptionconsulting.com.
Cloud computing is increasingly being adopted by many organizations today. It offers convenient access to a shared pool of computing resources like infrastructure, platforms, storage, data, software, and applications as a service to its users. Many organizations are moving to the cloud, as it helps in collaboration, improves scalability, availability, flexibility, and productivity, along with reduced operational costs.
Gartner has predicted that spending on public cloud services will grow by 23.1% in 2021 to a total of $332.3 billion. The COVID-19 pandemic and shift to remote working has forced companies to move their workloads from on-premises to the cloud. Apart from this, many emerging technologies such as containerization, edge computing, and analytics are driving the additional growth of cloud computing.
Cloud computing provides multiple advantages, but there are still many security issues that are of great concern to organizations. Organizations are saving their critical applications and customer’s personal data in the cloud, and securing those applications and data is critical for their business. There have been multiple security incidents in the past few years where companies failed to secure customer’s sensitive data in the cloud.
In January 2020, over 250 million Microsoft customer records were exposed online without proper protections. In 2021, a massive data leak exposed LinkedIn profiles of 700 million users. The personal data of the affected users was put up for sale on a dark web forum. The exposed data included Personally Identifiable Information (PII) of users such as Full Names, email addresses, home addresses, phone numbers etc.
Along with the organizations, the focus of hackers has also shifted from on-premises data to cloud data. According to a survey, almost every organization has experienced a cloud data breach in the past 18 months. Gartner has stated in its cloud security assessment report that by 2025 99% of the cloud security failures will be due to the security issues on the customer’s side rather than the cloud provider side.
In the current scenario, if businesses want to expand their cloud usage, they need to protect the sensitive data in the cloud and strengthen the overall cloud data security. If companies want to benefit from cloud computing, alongside securing customer’s data and trust, they need to develop a secure architecture for data protection in the cloud.
Tailored Cloud Key Management Services
We assess, strategize & implement data protection strategies and solutions customized to your requirements.
When an organization moves its sensitive data to the cloud, it has many concerns and questions related to the storage and protection of data in the cloud. Some of these concerns are:
Does the cloud provider have sufficient security capabilities and supported technologies?
Does the cloud provider have sufficient security capabilities and supported technologies?
Is the cloud provider adhering to the needed compliance regulations and specifications?
What are the security protocols being used by the cloud provider?
How the cloud provider is storing data?
Is the cloud provider saving the sensitive data on the same physical host with other tenants?
Is the cloud provider ensuring the physical security of the servers storing the data?
Does the cloud provider have access to the organization’s data?
Does the cloud provider protect the data at rest as well as in-transit?
What are the different encryption technologies the cloud provider is using?
Does the cloud provider have access to the encrypted data?
How the encryption keys are stored and protected?
Does the cloud provider have access to the encryption keys?
How the encryption keys are refreshed and rotated?
Does the cloud provider follow breach notifications as per company’s policies and standards?
How to manage data across multi-cloud environments?
How to protect data in multi-cloud environment?
How to manage keys in multi-cloud environment?
Developing Architecture for Data Protection
Cloud customers need to take control of securing their sensitive data in the cloud rather than relying only on the cloud provider to protect their data. Organizations should ensure that the cloud data protection architecture satisfies the below recommendations:
Sensitive data is protected at rest, in transit and in use.
Sensitive data should always be encrypted at the organization side before it is transmitted to the cloud for storage.
The encryption keys should be controlled by the organization and not the cloud provider.
Encryption keys are a fundamental component of any cryptographic system, and they should be always protected from unauthorized access. In data encryption, key management is the most difficult part. It becomes even more complex in cloud and multi-cloud environments. Key management refers to the management of encryption keys. It includes key generation, key storage, key rotation, key usage, key access, and key destruction.
A key management service allows the customers to manage their own keys that are used to encrypt the data in the cloud. Most of the cloud providers provide Key Management services. Organizations can use cloud-based encryption in which the cloud provider generates and manages the keys that are used to encrypt and decrypt the data.
Organization can use Bring Your Own Key (BYOK) in which they generate and manages the encryption keys, but the cloud provider has access to the keys. Organizations can also generate, manage, and store their encryption keys in their own environments and the cloud provider does not have any access to the keys.In order to take advantage of the various cloud tools and platforms, organizations need to create a data centric security strategy to protect their sensitive data in the cloud. It is impossible to develop a single data-protection solution for the cloud as it involves multiple aspects.
Security of the data needs to be analyzed from multiple aspects and a robust and secure cloud data protection architecture should be created. Organizations need to understand the built-in security provided by the cloud providers and how to use them to our advantage. Most of the cloud providers provide both at rest and in-transit encryption that can be utilized to secure data in the cloud. Strong access controls and password policies must be implemented to secure our data.
Conclusion
Encryption Consulting can help you identify and secure your sensitive data in the cloud, understand and utilize the data protection methods provided by the cloud providers, manage your keys in multi-cloud environments, adherence to privacy regulations and compliances, and strengthen your organizations’ cloud data security.
Kubernetes is an open-source container-orchestration system used to automate deploy, scale, and manage containerized applications. Kubernetes manages all elements that make up a cluster, including each microservice in an application to entire clusters. Organizations using these containerized applications as microservices can provide them more flexibility and security benefits than monolithic software platforms and introduce other complexities.
Kubernetes security is essential for protecting the integrity, confidentiality, and availability of containerized applications orchestrated by Kubernetes. Organizations worldwide are choosing Kubernetes to manage their cloud-native environments, making it imperative to ensure robust security measures. The complexity of Kubernetes introduces various vulnerabilities and threats and requires that we adapt newer strategies to secure the dynamic environment of containerization. Yes, it does seem daunting, especially if you’re just getting started, but if you or your organization are using Kubernetes to deploy applications, it is important that you implement security practices that can shield against unauthorized access, data breaches, and misconfigurations. Effective Kubernetes security will help you maintain compliance with regulatory standards, protect sensitive data, and minimize the risk of costly security incidents.
Recommendations
We have compiled some Kubernetes security best practices to simplify securing your clusters. Let’s dive right in!
Kubernetes Pod security
Containers built to run applications should run as non-root users
Run containers with immutable file systems whenever possible
Regularly scan container images for potential vulnerabilities or misconfigurations
Use Pod Security Policies to enforce a minimum level of security, including:
Preventing privileged containers
Denying container features that are frequently exploited to breakout, like hostPID, hostIPC, hostNetwork, allowedHostPath
Rejecting containers that execute as root user or allow elevation to root
Network separation and hardening
Lockdown access to the control plane nodes using a firewall and RBAC (Role-Based Access Control)
Limiting access to the Kubernetes, etcd server
Configuring control plane components to use authenticated, encrypted communications using TLS/SSL certificates
Set up network policies to isolate resources. Pods and services in different namespaces can communicate unless additional separation is applied, such as network policies.
All credentials and sensitive information should be placed in Kubernetes Secrets rather than in configuration files. Encrypt Secrets using a robust encryption method
Authentication and authorization
Disable anonymous login
Using strong user authentication
Create RBAC policies that limit administrator, user, and service account activity
Log auditing
Enable audit logging
Persist logs to ensure availability in case of pod, node, or container level failure
Configuring a metrics logger
Upgrading and application security practices
Immediately apply security patches and updates
Performing periodic vulnerability scans and penetration tests
Removing components from the environment when they are no longer needed
Tailored Encryption Services
We assess, strategize & implement encryption strategies and solutions.
Kubernetes uses a cluster architecture. A Kubernetes cluster comprises many control planes and one or more physical or virtual machines called worker nodes which host Pods, which contain one or more containers. The container is an executable image that includes a software package and all its dependencies.
The control plane makes decisions about clusters. This includes scheduling the running of containers, detecting/responding to failures, and starting new Pods if the number of replicas listed in the deployment file is unsatisfactory.
Here is a brief overview of the key components of Kubernetes architecture:
Master Node: The control plane responsible for managing the cluster. It includes:
API Server: The central component that exposes the Kubernetes API. It enforces authentication and authorization, serving as the gateway for all interactions with the cluster.
etcd: A distributed key-value store that holds the cluster’s state and configuration data. Securing etcd is crucial, as it stores sensitive information, including secrets.
Controller Manager: Manages controllers that regulate the state of the cluster. It ensures that the desired state defined by the user matches the current state of the system.
Scheduler: Assigns pods to nodes based on resource availability and other constraints. Security policies can influence scheduling decisions.
Worker Nodes: These host the actual containers. Each worker node includes:
Kubelet: An agent that communicates with the API server and manages the lifecycle of containers on the node. It can enforce security contexts to define security settings for pods.
Kube-Proxy: Manages network routing to ensure that requests are directed to the appropriate pods. Network policies can be implemented to control traffic between pods.
Container Runtime: The software responsible for running containers (e.g., Docker, containerd). It should be secured to prevent container escapes.
Securing Pods in Kubernetes
Pods consist of one or more containers and are the smallest deployable Kubernetes unit. Pods can often be a cyber actor’s initial execution environment upon exploiting a container. Pods should be hardened to make exploitation much more complex and limit the impact on compromise.
“Non-root” and “rootless” container engines
Many container services run as privileged root users, and applications can execute inside the container as root despite not requiring privileged execution. Preventing root execution using non-root containers or a rootless container engine limits the impact of a container compromise. These methods affect the runtime environment significantly; thus, applications should be tested thoroughly to ensure compatibility.
Non-root containers
Container engines that allow containers to run applications as non-root users with non-root group membership. This non-default setting is configured while building the image.
Rootless container engines
Some container engines can run in an unprivileged context rather than using a daemon running as root. For this scenario, execution would appear to use the root user from the containerized application’s perspective, but the execution is remapped to the engine’s user context on the host.
Immutable container file systems
Containers are permitted mostly unrestricted execution within their context. A threat actor who has gained execution in a container can create files, download scripts, and modify applications within the container. Kubernetes can lockdown a container’s file system, thereby preventing many post-exploitation activities. These limitations can also affect legitimate container applications and can also potentially result in crashes or abnormal behavior. Kubernetes administrators can mount secondary read/write file systems for specific directories where applications require write access to prevent legitimate damaging applications.
Building secure container images
Container images are usually created by either building a container from scratch or building on top of an existing image pulled from a repository. Even after using trusted repositories to build containers, image scanning is key to ensuring deployed containers are secure. Images should be scanned throughout the container build workflow to identify outdated libraries, known vulnerabilities, or misconfigurations, such as insecure ports or permissions.
One approach for implementing image scanning is by using an admission controller. Admission controller is a Kubernetes-native feature that can intercept and process requests to the Kubernetes API before the persistence of the object but after a request is authenticated and authorized. A custom webhook can be implemented to scan any image before deploying it in the cluster. The admission controller could block deployments if the picture doesn’t comply with the security policies defined in the webhook configuration.
How can Encryption Consulting help?
Encryption Consulting offers encryption advisory services to help your organizations adhere to regulatory requirements and create a comprehensive encryption plan that fits your needs. We put encryption systems in place for databases, disk storage, and other special cases, making sure both data- and data-in-transit remain secure. Our experts develop policies, standards, and program structures to allow encryption throughout your organization. By analyzing your platforms and applications, we make a decision guide to help you choose the right encryption methods and solutions.
Conclusion
This was an introduction to properly managing and securing Kubernetes clusters and securely deploying them in your environment. In the current world of constant technological advancement and cyber threats, the security of an application cannot be assured without securing the Kubernetes environment within which it operates. Remember, a well-secured Kubernetes cluster not only safeguards your infrastructure but also builds trust with your users, allowing your organization to thrive in a competitive environment.
Whatever information we send or receive on the Internet crosses through multiple computer networks to reach the desired place. So, any of the computers can see your data since it was not encrypted. It can be your private messages, financial messages, login credentials that are not encrypted. So, to protect our data, new Internet protocols were developed: Transport Layer Security (TLS), which is widely used. This was preceded by the Secure Sockets Layer (SSL).
Before knowing about TLS Certificates, we should know about TLS:
About TLS
TLS Stands for Transport Layer Security. It is a protocol that verifies the identity of the server. It establishes a session between two encrypted computers, and it works on the cryptographic protocol that establishes an encrypted session between applications over the Internet.
TLS uses a combination of both symmetric as well as asymmetric cryptography, as this provides a reasonable negotiation between performance and security when transmitting data securely.
TLS certificates usually contain the following information:
The subject domain name
The subject organization
The name of the issuing CA
The Public Key.
Additional subject domain names, including subdomains.
Issue date
Expiry date
The digital signature of the CA
Working of TLS Certificate
The server sends a TLS Certificate if a user connects to a server. To establish a secure connection, the user verifies the server’s certificates on the user’s device using CA certificates. Generally, Public-key cryptography is used in this verification process, such as RSA, to prove the CA signed the certificate. If you trust the CA, this demonstrates you are communicating with the server certificate’s subject.
Does this imply we are using a fully secured process? Well, Yes to a few extents but not always. It gives birth to Disadvantages of TLS Certificates.
Disadvantages of TLS Certificate
Generally, TLS certificates are considered to be secured, but there are ways by which imposters can attack and compromise TLS:
By Attacking CAs directly
CA must be secured for TLS certification to function appropriately; any infringement of CA could lead to incorrect authorization of keys.
By mistakenly issued certificates
Sometimes a certificate issue happens that gives a vulnerability that hackers can exploit because generally, a customer trusts CAs to authenticate the server they want to connect. When we are associated with an insecure internet connection, it could lead to disaster. An attacker can use a miss-issued certificate in their favor, and it can compromise your relationship with the server.
Certificate store poisoning
If an imposter gets into your system, they can gain all access to your digital certificate, which is stored on that device, and insert a root certificate that allows them to impersonate a website and read all data sent to it.
SSL Certificates
An SSL certificate is a data file that contains the public key, the identity of the website owner, and some other information. It is a file that is installed on the website’s original server. A website’s traffic can’t be encrypted with TLS without an SSL certificate.
Every website owner can create self-signed certificates that are their certificate. Still, browsers don’t consider the self-signed certificate as secure as a certificate issued by a certificate authority.
Types of SSL Certificates
There are many Validation level SSL Certificates, which are available:
Domain validated certificate:
The primary purpose of a domain validated certificate is to make a secure connection between the domain web server and browser. DV certificate requires the lowest level of validation. The purpose of CA is to verify that the owner has control over the domain.
Organization validation certificates:
The CA checks an organization’s right to use the domain and organization information in organization validated certification. OV certificate requires a medium-level validation, and it increases the trust level of the organization and its domain.
Extended validated certificates:
In extended validated certification, CA conducts rigorous background checks on the organization based on guidelines that include verification of the entity’s legal, physical, and operational existence. EV certificates require high-level validation.
Enterprise PKI Services
Get complete end-to-end consultation support for all your PKI requirements!
SSL/TLS protocol is used to encrypt internet traffic of every kind, making secure internet communication and internet commerce possible. Encryption is used as it increases the integrity and confidentiality of message transfer. It is necessary if your data is not encrypted; anyone can see your transmission and temper your confidential data.
SSL/TLS uses both asymmetric as well as symmetric methods of encryption. SSL uses symmetric encryption to encrypt data between the browser and web server. In contrast, asymmetric encryption is used to exchange generated symmetric keys which validate the identity of the client and server.
Asymmetrical cryptography is the safest method of encryption; it requires two cryptographic keys: public and private. This process is complex as it uses mathematical formulas that are difficult to reverse-engineer by Brute force.
Encryption using symmetrical cryptography is relatively much less intensive as compared to asymmetric cryptography.
How to know if Your site contains an SSL certificate
To check whether your website has an SSL certificate or not, follow these steps:
A trust seal.
A green address bar when an EV SSL certificate is issued.
Padlock to the left of a URL.
An https URL prefix instead of http.
Conclusion:
TLS is a cryptographic protocol that establishes an encrypted session between applications over the Internet. It uses a combination of symmetric and asymmetric cryptography. The server sends a TLS Certificate if a user connects to a server. To establish a secure connection, the user verifies the server’s certificates on the user’s device using CA certificates.
There are a few disadvantages of TLS certificates: attacking CAs directly, mistakenly issued certificates, and certificate store poisoning. An SSL certificate is a data file containing the public key, the identity of the website owner, and some other information; it is a file installed on the website’s original server. SSL/TLS uses both asymmetric as well as symmetric methods of encryption.
SSL uses symmetric encryption to encrypt data between the browser and web server. In contrast, asymmetric encryption is used to exchange generated symmetric keys which validate the identity of the client and server.
In this discussion whiteboard, let us understand what is an e-signature? What is digital signature? What is meant by electronic signature? Are both the signatures similar or different? Which signature is more secure and what are various use cases for digital signature as well as electronic signatures? How is code signing relevant to digital signature? What is Encryption Consulting’s CodeSign Secure and how is it relevant to your organization? Let’s get into the topic to understand responses to these questions:
If you are new to the concept of e-signatures then there are high chances of getting confused between “Digital signature” and “Electronic signature”. Quite often you would encounter people use both digital signature and electronic signature terms interchangeably which is not completely true as there are some key significant differences between these two types of e-signatures. The major difference is security – digital signatures are mainly used to secure documentation and provide authorization as they are authorized by Certificate Authorities (CAs) where as electronic signatures only provide the intent of the signer. Let us first understand what is a digital signature and electronic signature.
What is a Digital Signature?
Digital signature is a type of electronic signature as the both are meant to be used of document signing except that digital signatures are more secure and authentic. In digital signature, the signer of the document is mandated to have a Public Key Infrastructure (PKI) based digital certificate authorized by certificate authority linked to the document. This provides authenticity to the document as it is authorized by trusted certificate authorities.
Let us understand in a simple way about digital signature by taking paper based documents as example. There are usually two concerns when you involve in documentation process, one is the authenticity of the person signing the contract and other is whether the document integrity is protected without any tampering. To overcome these concerns we have notaries in place for providing authorization and safeguarding integrity of the document.
Similar to the notary in physical contracts we have certificate authorities (CAs) authorizing digital signatures with PKI based digital certificates. In digital signatures, a unique fingerprint is formed between the digital document and the PKI based digital certificate which is leveraged to achieve the authenticity of the document and its source, assurance of tamper proof document.
Currently there are two major document processing platforms which provide digital signature service with strong PKI based digital certificates:
Adobe Signature
Microsoft Word Signature
Adobe Signature
There are two types of signatures provided by Adobe – Certified and Approval signatures. Certificate signature is used for authentication purpose where a blue ribbon is displayed in the top of the document indicating the actual author of the document and issuer of PKI based digital certificate. Approval signature on the other hand captures the physical signature of the issuer or author and other significant details.
Microsoft Signature
Microsoft supports two types of signatures one is visible signature and other is invisible signature. In visible signature, there is a signature field provided for signing similar to physical signature. Invisible signature is more secure as it cannot be accessed or tampered by unauthorized users. Invisible signature is commonly used for document authentication and enhanced security.
What is electronic signature?
An electronic signature is not as secure and complex as digital signature as there are no PKI based certificates involved. Electronic signature is mainly used to identify the intent of the document issuer or author and it can be in any form such as electronic symbol or process. Electronic signature can be captured in as simple way as check box as its primary purpose is to capture the intention to sign contract or document. These signatures are also legally binding. In instances where the document is required to be signed by two parties for binding legally to execute certain duties and do not require high level of security and authorization electronic signatures are used instead of digital signatures.
Key differences between digital signature and electronic signature
Let us understand the key differences between the two signatures by comparing the crucial parameters in a tabular form.
Parameter
Digital Signature
Electronic Signature
Purpose
Main purpose is to secure the document or contract through PKI based digital certificate
Purpose of electronic signature is to verify the document or contract
Authorization
Yes. Digital signatures can be validated and verified by certificate authorities providing PKI certificates
No. Usually it is not possible to authorize electronic signatures
Security
Comprises of better security features due to digital certificate based authorization
Comprises of less number of security features compared to digital signature
Types of Signs
In general two types are available. One by Adobe and other by Microsoft
Main types of electronic signatures are verbal, scanned physical signatures, e-ticks
Verification
Yes. Digital signatures can be verified
No. Electronic signatures cannot be verified
Focus
Primary focus is to secure the document or contract
Primary focus is to show intention of signing a document or contract
Benefits
Preferred majorly more than electronic signature due to high level of security
Easy to use compared to digital signature but less secure
As per the above comparison it is clearly evident that digital signature takes upper hand compared to electronic signatures. However, while considering the legally binding objective both the signatures will serve the purpose. Digital signatures are now highly preferred due to their enhanced security through PKI based certificates which will provide the much required authorization and integrity of the document.
Enterprise PKI Services
Get complete end-to-end consultation support for all your PKI requirements!
Code signing is the process of applying a digital signature to any software program that is intended for release and distribution to another party or user, with two key objectives. One is to prove the authenticity and ownership of the software. The second is to prove the integrity of the software i.e. prove that the software has not been tampered with, for example by the insertion of any malicious code. Code signing applies to any type of software: executables, archives, drivers, firmware, libraries, packages, patches, and updates. An introduction to code signing has been provided in earlier articles on this blog. In this article, we look at some of the business benefits of signing code.
Code signing is a process to validate the authenticity of software and it is one type of digital signature based on PKI. Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code. It assures users that this digital information is valid and establishes the legitimacy of the author. Code signing also ensures that this piece of digital information has not changed or been revoked after it was validly signed. Code Signing plays an important role as it can enable identification of a legitimate software versus malware or rogue code. Digitally signed code ensures that the software running on computers and devices is trusted and unmodified.
Software powers your organization and reflects the true value of your business. Protecting the software with a robust code signing process is vital without limiting access to the code, assuring this digital information is not malicious code and establishing the legitimacy of the author.
Encryption consulting (EC) CodeSign secure platform provides you with the facility to sign your software code and programs digitally. Hardware security modules (HSMs) store all the private keys used for code signing and other digital signatures of your organization. Organizations leveraging CodeSign Secure platform by EC can enjoy the following benefits:
Easy integration with leading Hardware Security Module (HSM) vendors
Authorized users only access to the platform
Key management service to avoid any unsafe storage of keys
Enhanced performance by eliminating any bottlenecks caused
Why to use EC’s CodeSign Secure platform?
There are several benefits of using Encryption consulting’s CodeSign Secure for performing your code sign operations. CodeSign Secure helps customers stay ahead of the curve by providing a secure Code Signing solution with tamper proof storage for the keys and complete visibility and control of Code Signing activities. The private keys of the code-signing certificate can be stored in an HSM to eliminate the risks associated with stolen, corrupted, or misused keys.
Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Client-side hashing ensures build performance and avoids unnecessary movement of files to provide a greater level of security. Seamless authentication is provided to code signing clients via CodeSign Secure platform to make use of state-of-the-art security features including client-side hashing, multi-factor authentication, device authentication, and as well as multi-tier approvers workflows, and more.
Support for InfoSec policies to improve adoption of the solution and enable different business teams to have their own workflow for Code Signing. CodeSign Secure is embedded with a state-of-the-art client-side hash signing mechanism resulting in less data travelling over the network, making it a highly efficient Code Signing system for the complex cryptographic operations occurring in the HSM.
Explore more about our CodeSign Secure platform features and benefits in the below link:
Use cases covered as part of Encryption Consulting’s CodeSign Secure platform
There are multiple use cases that can be implemented using CodeSign Secure platform by Encryption Consulting. Majority of the use cases can be relevant to digital signature concept discuss above. CodeSign Secure platform will cater to all round requirements of your organization. Let us look into some of the major use cases covered under Encryption Consulting’s CodeSign Secure:
Code Signing:
Sign code from any platform, including Apple, Microsoft, Linux, and much more.
Document Signing:
Digitally sign documents using keys that are secured in your HSMs.
Docker Image Signing:
Digital fingerprinting to docker images while storing keys in HSMs.
Firmware Code Signing:
Sign any type of firmware binaries to authenticate the manufacturer to avoid firmware code tampering.
Enterprise PKI Services
Get complete end-to-end consultation support for all your PKI requirements!
Organizations with sensitive data, patented code/programs can benefit from CodeSign Secure platform. Online distribution of the software is becoming de-facto today considering the speed to market, reduced costs, scale, and efficiency advantages over traditional software distribution channels such as retail stores or software CDs shipped to customers.
Code signing is a must for online distribution. For example, third party software publishing platforms increasingly require applications (both desktop as well as mobile) to be signed before agreeing to publish them. Even if you are able to reach a large number of users, without code signing, the warnings shown during download and install of unsigned software are often enough to discourage the user from proceeding with the download and install.
Encryption Consulting will provide strongly secured keys in FIPS certified encrypted storage systems (HSMs) during the code signing operation. Faster code signing process can be achieved through CodeSign secure as the signing occurs locally in the build machine. Reporting and auditing features for full visibility on all private key access and usage to InfoSec and compliance teams.
Get more information on CodeSign Secure in the datasheet link provided below:
This solely depends on the purpose and intent of using the signature for your organization. You might need to perform a clear assessment or approach expert consultants like us – Encryption consulting to understand which certificate will suit your purpose better.
Encryption Consulting’s Managed PKI
Encryption Consulting LLC (EC) will completely offload the Public Key Infrastructure environment, which means EC will take care of building the PKI infrastructure to lead and manage the PKI environment (on-premises, PKI in the cloud, cloud-based hybrid PKI infrastructure) of your organization.
Encryption Consulting will deploy and support your PKI using a fully developed and tested set of procedures and audited processes. Admin rights to your Active Directory will not be required and control over your PKI and its associated business processes will always remain with you. Furthermore, for security reasons the CA keys will be held in FIPS140-2 Level 3 HSMs hosted either in in your secure datacentre or in our Encryption Consulting datacentre in Dallas, Texas.
Conclusion
Encryption Consulting’s PKI-as-a-Service, or managed PKI, allows you to get all the benefits of a well-run PKI without the operational complexity and cost of operating the software and hardware required to run the show. Your teams still maintain the control they need over day-to-day operations while offloading back-end tasks to a trusted team of PKI experts.
Online Certificate Status Protocol (OCSP) and Certificate Revocation Lists (CRLs) are two methods of maintaining Certificate Lifecycle Management (CLM) for your organization. But before getting into which method is the best, let’s discuss why you should be even using CLM in the first place.
As you might know, when using HTTP/S in the websites managed by organizations, SSL certificates are deployed which organizations gain from a Certificate Authority(CA) which validates if the certificate is legitimate or not. These certificates however, have a validity period for which they stay active and encrypt all the communications to and from the server protecting user activity online from bad actors and Man in the Middle (MitM) attacks.
After expiration of the said certificate, a new certificate has to issued and the previous certificate has to be blacklisted so that it is not used for any future communications. To maintain records of such activities, organizations are required to use CLM.
OCSP
Online Certificate Status Protocol (OCSP) is an Internet protocol which enables applications to determine the revocation state of identified certificates without the use of Certificate Revocation Lists (CRLs). With OCSP, it is possible to gain more timely information of the revocation status than is possible with CRLs.
How it works
An OCSP client sends a status request to an OCSP responder and waits to accept the certificates until the responder provides a response.
OCSP Request
An OCSP request contains the following information:
Protocol version
Service request
Target certificate identifier
Other optional extensions.
Upon receiving the request, the OCSP responder checks if the predefined conditions are met. These conditions are:
The message should be well formed.
The responder should be configured to provide the requested service.
The request should contain the information needed by the responder.
It returns a definitive response if all of the above conditions are met, and produces an error message otherwise.
Enterprise PKI Services
Get complete end-to-end consultation support for all your PKI requirements!
An OCSP response can be of various types, but there is only one kind of OCSP response is supported by all OCSP servers and clients. A basic OCSP response contains the following information:
Version of the response syntax
Identifier of the responder
Time when the response was generated
Responses for each of the certificates in a request
There are 3 certificate status values that can be returned:
Good
A certificate status of “good” shows that the certificate is valid for use. At a minimum, this shows that a certificate with the corresponding serial number and validity period hasn’t been revoked.
Revoked
The “revoked” state indicates that the certificate has been revoked, either temporarily or permanently. If the CA has no record of ever having issued a certificate with the certificate serial number in the request, then this status may also be returned.
Unknown
The “unknown” state indicates that the responder doesn’t know about the certificate being requested, usually because the request indicates an unrecognized issuer that is not served by this responder.
The OCSP response is always signed by the CA to ensure no alteration occurs while the request is in transit.
OCSP Stapling
OCSP Stapling improves performance by setting up a digitally-signed and time-stamped OCSP response on the webserver. This OCSP response is then refreshed at certain intervals set by the CA. The stapled OCSP response lets the web server include the OCSP response within the initial SSL handshake, without the user needing to make a separate connection to the CA.
Advantages
When compared to the CRL, an OCSP response contains considerably less data as by using OCSP a client can query the status of a single certificate rather than having to download and parse an entire list.
Since the data requested is low, the load on the client and network is considerably lower than with CRLs.
Disadvantages
Since the request is sent for each certificate every single time, it can overload the OCSP responder for high traffic websites.
Although the above can be solved by using OCSP Stapling, it is not yet supported by all the browsers.
If the private key for the server was compromised, an attacker can pose as the server using an Man in the Middle attack.
CRL
A Certification Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. There are two different states of revocation defined:
Revoked
In this state, a certificate is revoked irreversibly and cannot be reinstated. The reason for revocation could be any of the following:
Unspecified
Key Compromise
CA Compromise
Affiliation Changed
Superseded
Cessation of Operation
Certificate Hold
Removed from CRL
Privilege Withdrawn
CA Compromise
The most common reason for revocation is that the private key for the user has been compromised.
Enterprise PKI Services
Get complete end-to-end consultation support for all your PKI requirements!
A certificate that is put into a hold state is suspended temporarily and may be reinstated if needed. Putting a certificate on hold could occur for several reasons, for example if a private key that was previously thought to be lost was found, the status can be reinstated and the certificate will become valid again.
How it works
A CRL essentially functions as a blacklist for certificates. A browser makes a GET request to an HTTPS enabled page, the CA receives the request, and then returns a list of all the revoked certificates. The browser then parses the CRL to ensure that the certificate of the requested site isn’t contained within it.
When a browser wants to retrieve a CRL for a certificate, it retrieves it from a specified CRL Distribution Point (a CRL Distribution Point (CDP) is an X.509 v3 certificate extension). To put it in simple terms, a CRL distribution point is a shared location on the network that is used to store the CRL and certificates. It is also possible to have two distribution points, one pointing to the HTTP CRL location with the other pointing to the LDAP CRL location. Both distribution points HTTP and LDAP could be pointing to the same CRL.
Advantages
Using a CRL is the next best way of maintaining a certificate lifecycle if, for some reason, OCSP is not available.
Disadvantages
Generally, the CRL returned contains thousands of line, which can cause a considerable effect on the network and client performance.
Typically the publishing of a new CRL is very slow, which can leave the client open to attacks.
If for some reason a client is unable to download the CRL, it’ll default to trusting the certificate.
OCSP
CRL
OCSP can be used to get the status of a single certificate.
A CRL is a list with multiple lines that has to be downloaded by the browser.
Status of a certificate is fetched by making a request to an OCSP Responder.
A CRL is distributed using a CDP point which can be an HTTP link or an LDAP server.
Has less effect on the client and network resources.
Has a big effect on client resources.
Is the industry standard for Certificate Lifecycle Management currently.
