Venafi, Inc. Vice President, Security Strategy & Threat Intelligence, Kevin Bocek offers this Comment:
“The system of trust that runs the Internet is very fragile. Failing to validate a certificate properly gives bad guys the powerful weapons they need to circumvent security controls. Lenovo joins many others in not being prepared to secure the trust that’s established by keys and certificates.
Lenovo like Fandango, Kredit Karma, and an estimated 40 per cent or more of mobile application developers were not able to validate if certificates were from a trusted authority. With every Global 2000 organization reporting attacks on keys and certificates, according to the Ponemon Institute, the Internet needs an immune system to evaluate what’s really trusted or not.
Lenovo is certainly not alone in its inability to properly validate digital certificates – this is just the tip of the iceberg. And as this vulnerability shows, if you can compromise certificates, other security controls break down.
With a compromised or forged certificate, you can masquerade as a trusted service, hide in encryption, and go undetected. Using keys and certificates attempted to solve the first security problems on the Internet – what can I trust and what can be private. But with the rapid rise in vulnerabilities and attacks, now more than ever is the time to take protecting keys and certificates seriously.”