Why it’s important to monitor your SSL (Secure Sockets Layer) and TLS certificates
The Transport Layer Security (TLS) protocol, the updated, more secure version of SSL (Secure Sockets Layer) is designed to add security to web traffic. It wraps the traffic in a layer of encryption, which protects it against being read and modified by an eavesdropper.
TLS works on the principles of public key cryptography, which uses a pair of public and private keys to securely generate a shared secret key between a website and a visitor. This shared secret key is then used to encrypt all communications between the client and the server.
A TLS certificate provides a user with the public key associated with a particular site and verifies its authenticity. Without the TLS certificate, it is impossible to prove that a certain public key actually belongs to a particular website. An attacker could provide a client with their own public key instead, enabling them to masquerade as the site owner.
TLS certificates can be used for other purposes as well. The public keys they contain are also useful for verifying digital signatures created with the corresponding public key. These digital signatures can be used to validate software authenticity or provide integrity verification on other types of data.
In summary, TLS certificates provide businesses, and their customers, with multiple benefits including:
- Authentication: The TLS certificate verifies that a particular public key belongs to a website. This ensures that if the server uses the corresponding private key throughout the process, the website has not been replaced by a phishing site.
- Confidentiality: The public key in TLS certificates is used to securely create a shared secret key between the client and server. This key is used to encrypt data to protect it against eavesdropping.
- Integrity: Public key cryptography can also be used for digital signatures. These prove that the signed data has not been modified since the certificate was generated.
However, all of these benefits are lost if a TLS certificate is allowed to expire.
What are the risks of expired TLS certificates?
TLS certificates are only valid for a certain amount of time. This is intended to minimize the impact of compromised certificates by ensuring that they expire after a certain period. The lifetime of a TLS certificate can vary based on the provider and service offering, but a website owner can renew them once the certificate has expired.
However, certificate expiration means that a website owner needs to periodically take action to renew their certificates. Failure to do so can harm an organization in a number of different ways.
Lack of Data Encryption
Valid certificates are a vital component of the TLS protocol. The public keys that they contain are used to generate a shared secret key between the website and its visitors. Without it, this key generation cannot occur.
If TLS certificates are expired, then web browsers will display a warning to users that a site is insecure. If a user wants to visit the site, they need to state that they accept the risk in order to continue to the site. A user needs to know how to click through the prompts to do so and may be scared away by the warnings displayed by their browser. This failure to renew certificates can cause customers to lose trust in the site and may turn away visitors, causing a loss of sales as well.
TLS certificates are vital to HTTPS connections, the secure option for accessing a website. While some sites may be accessible via HTTP or HTTPS, others require secure connectivity.
For example, sites collecting payment card information need the encryption provided by HTTPS to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). Without a valid TLS certificate, these sites are completely unusable.
Expired TLS certificates causing full site outages or loss of some functionality is not uncommon. In April 2021, American Express users were notified that their payment cards were being removed from Google Pay despite the fact that these cards were still valid and unexpired. After some investigation, the cause was discovered to be an expired certificate that broke communications between the servers of Google and American Express. Without this certificate, these users’ cards were repeatedly removed from Google Pay.
Another example of the impact of expired certificates is an underreporting of COVID-19 cases in California in 2020. An expired certificate on the CalREDIE site made it impossible for testing labs to upload the results of COVID-19 tests. As a result, between 250,000 and 300,000 test results were delayed, causing the state to underreport its number of positive COVID-19 tests.
The main purpose of TLS is to protect users against eavesdroppers. Without the encryption, authentication, and integrity protections provided by TLS, an attacker can perform a man-in-the-middle (MitM) attack.
In a MitM attack, an attacker intercepts communications between two parties, allowing them to decrypt, read, and potentially modify all traffic flowing between the client and the server. An expired certificate makes this possible because it increases the probability that a user will accept a spoofed certificate or switch to an insecure HTTP site.
Failed Code Checks
Many platforms, such as the iPhone, use digital signatures to verify the authenticity and integrity of a program before running it. These digital signatures rely on certificates to provide the public key used in validation. If this certificate expires, then validation will fail.
An example of the impact of expired certificates on code checks is an outage of Pulse Secure VPNs in April 2021. The issue was caused by a failure to renew a code signing certificate for the software, causing it to be rejected as invalid. With the surge in remote work caused by the COVID-19 pandemic, this inability to securely access corporate resources hurt many companies’ employee productivity during the outage.
Loss of Security Visibility
TLS is now used to protect the majority of Internet connections with both positive and negative consequences. On the plus side, the use of TLS protects legitimate users from eavesdroppers, protecting users’ privacy and data security. However, TLS can also be used to conceal malware’s command and control traffic or data exfiltration.
Some organizations use TLS interception to achieve visibility into their network traffic. This approach uses a proxy to perform a man-in-the-middle attack, breaking the TLS encryption and allowing the traffic to be inspected. However, TLS interception requires an organization’s proxy to have a valid and unexpired TLS certificate. Otherwise, the system won’t work.
The Equifax hack is a perfect example of the risks of failing to renew certificates for TLS interception. The attackers exfiltrated the sensitive data of approximately 143 million Americans from Equifax, but the company did not detect the attack because the certificate on their TLS interception proxy expired ten months earlier. When the certificate was finally renewed, the malicious traffic was immediately detected, leading to the discovery of the attack.
Why managing TLS certificates can be challenging
The number of security incidents and site outages resulting from expired TLS certificates shows that TLS certificate management can be challenging. An estimated 88% of organizations have experienced at least one unplanned outage due to an expired certificate. Additionally, these expired certificates have led to delays in detecting major security incidents like the Equifax breach, which amplifies their impact.
Companies struggle to manage their TLS certificates for a few different reasons. Some common challenges with TLS certificate management include:
- Numerous Certificates: TLS certificates can be used for a variety of different reasons, including authenticating websites, code signing, and more. This means that companies may have many different digital certificates with different renewal cycles, making them more difficult to track and manage.
- Manual Processes: Many companies try to manage TLS certificate renewal processes manually. However, this increases the probability that an overlooked certificate will cause an outage or other issue.
- Long Cycles: Many TLS certificates are valid for years, meaning that companies rarely need to renew them. As a result, companies fail to develop processes for managing them or certificates slip through the cracks, resulting in unrenewed certificates.
All of these factors contribute to the problem of expired certificates causing companies significant issues. However, these certificate management challenges are completely avoidable.
Certificate management solutions are available to automate the process of renewing certificates as they expire. Halo Security’s Website Scanning service keeps an eye on websites and monitors for certificates that are about to expire or have expired. If something is discovered, it then alerts website administrators about which certificates should be renewed immediately.
Expired TLS certificates can lead to a number of problems for organizations like site outages, MitM attacks, and loss of security visibility.
Automating certificate management enables organizations to eliminate these risks to enterprise cybersecurity. Instead of relying on manual processes to identify and fix expired certificates, companies can get ahead of the risks by being alerted whenever a certificate is about to expire.
If you'd like to see a preview of our Website Scanning and full attack surface management platform, feel free to book a meeting with our team.
Editor's note (Dec 2022): This article was originally posted on the TrustedSite blog in May 2021. It has been updated for the Halo Security blog.