New CSC Research Finds Nearly 60% of Enterprises Use Three+ SSL Providers, Complicating Digital Certificate Life Cycle Management and Increasing Risk

WILMINGTON, Del.--(BUSINESS WIRE)--CSC, an enterprise-class domain security provider and world leader in domain management, DNS, digital certificate management, brand protection, and anti-fraud solutions, today released its inaugural report. “The SSL Landscape” finds that approximately 60% of businesses use three or more secure sockets layer (SSL) providers and suggests a lack of centralized processes for SSL management. This and other evidence further suggest organizations are ignoring or delaying the implementation of a strategic response to the upcoming shortening of SSL certificate life cycles and domain control validation (DCV) re-use periods, opening them up to multiple points of risk.

Forthcoming changes to SSL/TLS certificate life cycles poised to disrupt certificate renewal strategy.

Share

CSC’s “The SSL Landscape” provides an in-depth analysis on use trends and patterns for more than 802,000 digital certificates linked to 2.4 million domains, including how organizations oversee SSL certificates and the impact on integrity assurance for their domains. The research comes at a key time when SSL/transport layer security (TLS) certificate life cycles are set to shrink from 367 days to 200 starting in 2026 to just 47 by 2029, and DCV re-use periods will decline from 367 days to only 10 by 2028, as mandated by the CA/Browser Forum. Therefore, organizations must update their strategies for renewing certificates nearly eight times a year instead of roughly once a year.

“SSL certificates play a critical role in authenticating the legitimacy and safety of an online brand, including the validation of credentials and the encryption of the connection between a website’s server and a user’s browser,” says Mark Flegg, senior director of technology, CSC Security Products and Services. “As the industry approaches shortened SSL certificate renewal life cycles, organizations cannot afford to delay their transitions to certificate automation or to compromise the security of their organizations with fragmented SSL management. It’s concerning that 72% of respondents we surveyed were either completely unaware of or didn’t know the details of the upcoming industry changes—and as many are unsure of or not ready for automation. Missed renewals could further bring down entire domains and applications that are the backbone of business operations—such as payment gateways, email, VPN, and collaboration tools for chat, video calls, and document sharing.”

According to CSC's research, domain validated (DV) certificates account for three-quarters (73.5%) of certificates while organization validation (OV) certificates represent nearly one-quarter (24.6%) and extended validation (EV) certificates account for less than two percent (1.9%). With low-cost, easy-to-obtain DV certificates dominating the market among organizations, cybercriminals leverage this trend by obtaining similar low-cost certificates to impersonate brands—making fraudulent websites look authentic with a https-secured site—tricking customers into clicking malicious links that compromise data. This research raises concerns about whether IT and security departments have a clear strategy on which certificate is obtained for each type of web asset.

CSC’s findings additionally show that the top three certificate providers are not enterprise-class providers, yet these providers supply the majority of DV certificates (89%) used by the analyzed organizations. The combination of easy-to-obtain certificates and consumer-grade providers who don’t offer the enterprise-class support needed to help companies prepare for upcoming SSL industry changes creates a recipe for serious disruption to organization services and reputation.

“Organizations are about to face the most transformative period for domain security,” continues Flegg. “A lack of understanding around proper certificate strategy, and the absence of urgency to effectively prepare for new certificate life cycles, will leave many online brands and digital identities playing a never-ending game of catch up. Those who prioritize automation, consolidating their certificate solutions providers, and working with enterprise-class domain partners will ensure a smoother, safer transition that minimizes the risk of costly expiration outages and security incidents.”

For more information on key trends in SSL management, download “The SSL Landscape.” To learn more about CSC’s flexible suite of digital certificate management solutions, request a consultation at cscdbs.com.

About CSC

CSC is the trusted security and threat intelligence provider of choice for the Forbes Global 2000 and the 100 Best Global Brands (Interbrand^®) with focus areas in domain security and management, along with digital brand and fraud protection. As global companies make significant investments in their security posture, our DomainSec^SM platform can help them understand cybersecurity oversights that exist and help them secure their online digital assets and brands. By leveraging CSC’s proprietary technology, companies can solidify their security posture to protect against cyber threat vectors targeting their online assets and brand reputation, helping them avoid devastating revenue loss. CSC also provides online brand protection—a combination of online brand monitoring and enforcement activities—with a multidimensional view of various threats outside the firewall targeting specific domains. Fraud protection services that combat phishing in the early stages of attack round out our solutions.

Headquartered in Wilmington, Delaware, USA, since 1899, CSC has offices throughout the United States, Canada, Europe, and the Asia-Pacific region. CSC is a global company capable of doing business wherever our clients are—and we accomplish that by employing experts in every business we serve. Visit cscdbs.com.