Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Amazon Offers Free SSL/TLS Certificates

Amazon recently announced that it is now offering free security certificates to Amazon Web Services customers.

Amazon recently announced that it is now offering free security certificates to Amazon Web Services customers.

The digital certificates come from Amazon Trust Services (ATS), which turns Amazon into a Certificate Authority (CA), and are implemented through the new AWS Certificate Manager (ACM). According to Amazon, ACM was designed to cover the provisioning, deployment, and renewal of Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates.

Amazon’s Jeff Barr explains in a blog post that, while SSL/TLS certificates are issued for free, customers will continue to pay for the AWS resources they create to run their applications. Moreover, the company explains that the process of deploying new certificates to Elastic Load Balancers and Amazon CloudFront distributions is very simple, requiring only a few clicks.

Amazon’s new Certificate Manager is currently available to customers in the US East (Northern Virginia) region and certificates are not usable across regions. However, the company says that it is already working on covering more regions and on adding support for other AWS services and for other types of domain validation.

SSL/TLS encryption is meant to provide additional security when communication between two entities takes place on the Web, and Amazon’s new initiative is meant to help secure such data transfer, Barr says. Moreover, ACM is meant to simplify the process of receiving, deploying, and maintaining certificates, the same as Let’s Encrypt, the free CA that entered public beta in late 2015, does.

When announcing the release of its first digital certificates, Let’s Encrypt underlined a focus on “encrypting the Internet” to make it a safer place for everyone. By offering free certificates and simplifying the issuance process, the CA wanted to determine more domain owners to adopt encryption, yet its digital certificates have already started to be abused for nefarious purposes.

Amazon appears determined to follow on Let’s Encrypt’s footsteps, and many are already questioning its ability to eliminate any risk involved in the use of the AWS free certs. Some have already expressed their concern that ACM would create more security issues than eliminate existing ones.

Kevin Bocek, Vice President of Security Strategy & Threat Intelligence, Venafi, told SecurityWeek that, while Amazon’s initiative was expected following the launch of Let’s Encrypt, the use of free certificates poses risks that enterprises should be fully aware of.

“What’s critically important here is that enterprises realize the risk of utilizing free certificates, which cybercriminals love to take advantage of, as we saw recently with hackers using Let’s Encrypt certs for malvertising attacks. This is just another reason why how you protect keys and certificates is much more important than where you get them!

With AWS apps like load balancing, not EC2, it can lock you into using just AWS since it keeps the private keys. Because of this, we caution enterprises about using AWS and any free certs if they are serious about protecting their own IP and their customers’ data. While AWS certificates may be good for building quick apps, they cannot provide true enterprise-class security to the Global 5000.

Mark my words: it’s just a matter of time before we see cybercriminals leveraging these free AWS certificates to hide in encrypted traffic, masking themselves to go unnoticed while they steal sensitive data,” Bocek said.

Ilia Kolochenko, CEO of High-Tech Bridge, told SecurityWeek that while he salutes the initiative, he would also warn organizations that the SSL certificates are just a small part of SSL/TLS data encryption. Companies should also ensure they have strong cipher suites, reliable protocols, the latest versions of software, and correct configurations.

“Today many people associate SSL/TLS encryption only with HTTPS, but actually, there are far more protocols that rely on SSL data encryption,” Kolochenko said. The company is offering a free SSL/TLS service for organizations to test their SSL security for PCI DSS compliance requirements and NIST guidelines.

Related Reading: How “Let’s Encrypt” Will Challenge The CA Industry

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...