Although IT security professionals are troubled by future CA incidents, very few have the tools needed to switch CAs quickly. For example, just fifteen percent of respondents believe that Google’s decision to distrust Symantec certificates is a one-time event. However, if they were affected by a major CA event, only twenty-three percent said they are completely confident in their ability to quickly find and replace all their impacted certificates.
“CAs have a very difficult job and they deal with many complexities that are outside their control,” said Mike Dodson, global head of solution architects for Venafi. “Every CA is exposed to risks; and CA compromises and errors can leave organizations scrambling to find and replace many certificates in a short amount of time. Organizations need greater control over the CAs they trust, but they also must acknowledge that they’ll never have full control. For example, browsers play a big role in how we trust CAs. Chrome and Mozilla recently decided they would no longer trust certificates issued by Symantec, and now many organizations must replace these certificates before a set deadline.”
Additional findings indicate that security professionals may be over estimating their ability to respond to a CA incident: