Any activity conducted on the Internet must ultimately rely upon security certificates. These Secure Sockets Layer (SSL) certificates are what businesses and organizations trust and rely on when it comes to ensuring that any sort of transaction is kept secure and encrypted. Digital certificates and SSL are everywhere.
Due to their ubiquity, certificates are increasingly targeted by bad actors, who have become more creative in looking for a route into networks or to access applications. Just this year, code-signing certificates stolen from multinational technology company Nvidia were used to certify malware as genuine software tools, allowing bad actors to bypass security controls and attempt attacks.
Why You Should Pay Attention to Certificates
Alongside increasing attacks, there's also the matter of operational management. An expired certificate can lead to your website and services failing, interrupting staff, and stopping customers from making purchases. In May 2022, Spotify's service was down due to a lapsed certificate owned by a company it acquired, ultimately stopping millions of users from listening for several hours. In another example, Let's Encrypt saw one of its root certificates expire in September 2021, which led to downtime for a range of Internet services and websites, including Shopify and Netlify, which support thousands of companies doing business online.
Tracking SSL certificates is seen as a nuisance or low priority for IT teams, but any missed or overlooked certificate can lead to potential headaches around service availability. While it's easy to take these certificates for granted, they should be treated as valuable assets.
Looking at over 3 million certificates in our service inventory, we found that more than 7% of the certificates deployed have already expired and nearly 21% would expire in the next 90 days. Similarly, approximately 9% of websites have inadequate security based on the grade of the current certificate, according to their SSL Labs ratings. For these expired certificates, 48% were still using TLS1.2, 43% were using TLS1.1, and those using RC4 accounted for 12%.
If your organization provides a service online, then it is only as available as your SSL certificate. If you provide technology that is embedded in other companies' products — such as a cloud platform — then it can affect all the clients that rely on you, scaling up the problem. Keeping certificates current and secure should be a priority.
Why Do Issues Around Certificates Exist?
There are four main reasons why a security certificate might have inadequate security.
- The first is the use of self-signed certificates, when someone chooses to use their own security certificate as a token to prove that their service is valid and can be trusted. This is the equivalent of marking your own homework at school — while you might trust yourself, this may not be enough for others that will rely on that certificate over time. There's also no external proof that your self-signed certificate was generated by you, rather than someone else.
- Next is the problem that comes with using certificates created by an untrusted certificate authority. Certificate authorities have to be trusted for what they certify to be widely used. This level of trust can be revoked if that company starts exhibiting poor business practices, or if their IT systems are compromised.
- There can also be issues when certificates rely on older protocols for encryption, such as SSL v3 or TLS1.0/TLS1.1. As with many things, these standards were appropriate for the times when they were created, but they're now unsafe to use given the increases in computing power available. Attacks on sites can attempt to downgrade the encryption standard from modern versions to older protocols that are easier to break, or take advantage of flaws in how they're implemented to access data.
- The last problem is the ability to understand what certificates you have, and what their status is. If you aren't aware that a certificate exists, then you can end up with an application that fails to work. This can lead to further problems for the application, and for any service that depends on it.
Preventing Problems Is Better
To prevent these kinds of problems, certificates must be treated as valuable assets rather than afterthoughts. Where to start?
Build an inventory of certificates with status information. With a multitude of certificates involved for most enterprises, automating this process will ensure that it is more efficient and easier to manage at scale.
Maintaining this list of certificates should help you spot gaps, such as self-signed certificates or ones that are close to their expiration date. By preventing issues before they lead to downtime, you can improve the overall approach to security and what the rest of the business sees.
For external-facing websites that use certificates, free tools like SSL Labs can easily demonstrate how well any site is set up, from a security perspective. This will include recommendations on what to do to improve security and remove problems. For developers building sites, this should be a standard part of their process.
Similarly, any developer working on internal applications should know how they use certificates in their applications internally, and they should be tracked, too. For other teams that might have to support certificates, from IT operations through to IT security teams, this insight into what certificates exist should be very useful as well. If developers aren't tasked with this, then carrying out discovery and inventory will be necessary to track certificates just like any other IT asset across the business.
Security certificates are necessary to make applications work, and to ensure that those services can be trusted. Managing them well and treating them as valuable assets is essential for security hygiene and to prevent issues. Even the littlest things can make a difference to security and delivering services.