Computer networking systems, such as packet networks linking various endpoints, can include security features to ensure that endpoints communicate over secure links. These secure links can reduce eavesdropping and other forms of malicious attacks by employing encryption over the links. Some forms of encryption include symmetric or asymmetric encryption techniques, such as the popular public key infrastructure (PKI) employed in many networked systems. However, when exchanging information to establish the secure links, man-in-the-middle attacks can be used to impersonate endpoints and thus still allow malicious activity to occur.
Digital security certificate systems have been developed to allow trusted third parties, namely certificate authorities, to issue digital certificates that authenticate encryption information for particular endpoints, such as for content provider endpoints. These digital certificates can be employed when an endpoint wishes to retrieve network content in a secure manner. The endpoint can use a certificate delivered with an encryption key associated with the content provider to establish that the content provider identity and associated link is authentic.
However, managing digital certificates can be cumbersome and slow, and is often a manual process. For example, a content administrator might have to manually request issuance of a digital certificate by entering data into a web form. Over time, this has driven acceptance of undesirable patterns and practices, increasing the risk of encryption key compromise and service outages. For example, the difficulty with acquiring certificates has led to the use of wildcard certificates and self-signed certificates.
Wildcard certificates can offer both convenience and cost reduction by reducing the total number of certificates managed within an environment. However, wildcard certificates increase breach scope as the compromise of one certificate may lead to the compromise of all services sharing the same domain. Wildcard certificates present a high lifecycle maintenance cost. If a wildcard certificate must be revoked, the number of services and components that must receive an update is often substantial. Wildcard certificates provide a lower level of assurance. As wildcard certificates remove a deployment barrier, they unintentionally encourage broader adoption and usage than was originally intended during issuance.
Self-signed certificates are commonly installed by applications and devices with the intent that they be temporary and replaced with trusted certificates. Remote desktop services and third-party management tools are common sources for self-signed certificates. Accessing services that offer self-signed certificates typically generate warnings regarding the lack of trust for the certificates. Users are typically instructed to ignore and click-through such warnings. These scenarios create fertile conditions for man-in-the-middle attacks.