Industry pros concerned with AWS free cert offering
Amazon Web Services offer of free certificates to help companies automate use of TLS/SSL cryptographic protocols was met with skepticism.
Amazon Web Services (AWS) is offering free digital certificates to help companies automate use of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic protocols.
The announcement has been met with skepticism from some industry pros, in light of a similar move by the open certificate authority Let's Encrypt.
Let's Encrypt began offering open source certificates in September, and then rolled its free SSL certificates out of beta earlier this month. The digital certificates were then used by malware developers to avoid detection in distributing a new malware family that surveils infected devices' activity and send information to attackers.
AWS' certificate manager “is designed to simplify and automate many of the tasks traditionally associated with provisioning and managing SSL/TLS certificates,” wrote Amazon's Craig Liebendorfer in a blog post.
AWS Certificate Manager is only available in the US East (Northern Virginia) region, with additional regions in the works, according to Jeff Barr, Chief Evangelist of Amazon Web Services, in a blog post.
In speaking with SCMagazine.com, Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, said Amazon Web Services' certificate manager “is making it easier for a set of Amazon customers to use certificates for free,” an initiative that he says is “positive in its intention.”
However, he added, “We need to be aware of and be vigilant of the risks of automation.”
“It's a great initiative,” wrote Ilia Kolochenko, CEO of private information security firm High-Tech Bridge, in an email obtained by SCMagazine.com, “however one shouldn't forget that an SSL certificate is just a small part of SSL/TLS data encryption. Strong cipher suites, reliable protocols, the latest versions of software and correct configurations are also vitally important.”
In an email, Bocek wrote that “it's just a matter of time before we see cybercriminals leveraging these free AWS certificates to hide in encrypted traffic, masking themselves to go unnoticed while they steal sensitive data.”