Amazon recently announced that it is now offering free security certificates to Amazon Web Services customers.
The digital certificates come from Amazon Trust Services (ATS), which turns Amazon into a Certificate Authority (CA), and are implemented through the new AWS Certificate Manager (ACM). According to Amazon, ACM was designed to cover the provisioning, deployment, and renewal of Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.
Amazon’s Jeff Barr explains in a blog post that, while SSL/TLS certificates are issued for free, customers will continue to pay for the AWS resources they create to run their applications. Moreover, the company explains that the process of deploying new certificates to Elastic Load Balancers and Amazon CloudFront distributions is very simple, requiring only a few clicks.
Amazon’s new Certificate Manager is currently available to customers in the US East (Northern Virginia) region and certificates are not usable across regions. However, the company says that it is already working on covering more regions and on adding support for other AWS services and for other types of domain validation.
SSL/TLS encryption is meant to provide additional security when communication between two entities takes place on the Web, and Amazon’s new initiative is meant to help secure such data transfer, Barr says. Moreover, ACM is meant to simplify the process of receiving, deploying, and maintaining certificates, the same as Let’s Encrypt, the free CA that entered public beta in late 2015, does.
When announcing the release of its first digital certificates, Let’s Encrypt underlined a focus on “encrypting the Internet” to make it a safer place for everyone. By offering free certificates and simplifying the issuance process, the CA wanted to determine more domain owners to adopt encryption, yet its digital certificates have already started to be abused for nefarious purposes.
Amazon appears determined to follow on Let’s Encrypt’s footsteps, and many are already questioning its ability to eliminate any risk involved in the use of the AWS free certs. Some have already expressed their concern that ACM would create more security issues than eliminate existing ones.
Kevin Bocek, Vice President of Security Strategy & Threat Intelligence, Venafi, told SecurityWeek that, while Amazon’s initiative was expected following the launch of Let's Encrypt, the use of free certificates poses risks that enterprises should be fully aware of.
“What's critically important here is that enterprises realize the risk of utilizing free certificates, which cybercriminals love to take advantage of, as we saw recently with hackers using Let's Encrypt certs for malvertising attacks. This is just another reason why how you protect keys and certificates is much more important than where you get them!
With AWS apps like load balancing, not EC2, it can lock you into using just AWS since it keeps the private keys. Because of this, we caution enterprises about using AWS and any free certs if they are serious about protecting their own IP and their customers' data. While AWS certificates may be good for building quick apps, they cannot provide true enterprise-class security to the Global 5000.
Mark my words: it's just a matter of time before we see cybercriminals leveraging these free AWS certificates to hide in encrypted traffic, masking themselves to go unnoticed while they steal sensitive data,” Bocek said.
Ilia Kolochenko, CEO of High-Tech Bridge, told SecurityWeek that while he salutes the initiative, he would also warn organizations that the SSL certificates are just a small part of SSL/TLS data encryption. Companies should also ensure they have strong cipher suites, reliable protocols, the latest versions of software, and correct configurations.
“Today many people associate SSL/TLS encryption only with HTTPS, but actually, there are far more protocols that rely on SSL data encryption,” Kolochenko said. The company is offering a free SSL/TLS service for organizations to test their SSL security for PCI DSS compliance requirements and NIST guidelines.
Related Reading: How "Let's Encrypt" Will Challenge The CA Industry