SSL certificates grant authentication to your websites or domains and are critical for ensuring a proper encrypting of Internet traffic and verifying servers’ identity. Without these certificates, end users will have no way of knowing if the website they are currently browsing is who it claims it is.
After a change in policy which was announced in 2020 by Apple, Google and Mozilla – SSL certificates should be created for a period of no longer than 398 days after which they expire. If not renewed on time, expired SSL certificates leave your organization exposed to a range of both cyber and business risks.
There is no lack of tools which are supposed to help IT and security teams to manage these certificates and renew them on time. Nevertheless, websites and domains with expired certificates are quite prevalent and becoming increasingly common also due to the recent update to certificates expiration period.
WHAT ARE THE RISKS?
Your Website Is No Longer Secure
SSL certificates ensure secure connections between a server and other web entities and provide validation that a browser is indeed communicating with a validated website server. Once it expires, your website is no longer recognized on the web as safe and secure and it is vulnerable to cyber-attacks.
Customers’ Trust and Revenues Are At Stake
Digital certificates are a cornerstone in building a trust-based relationship between your business and your customers. You want to provide a safe and secure environment for your website users which will make them comfortable providing personal data such as home address or credit card info. The little padlock on the top left corner of the browser is a fundamental component in the chain of trust.
Once your SSL certificate expires, the browser will immediately flag your domain and warn any visitor wanting to access your website. This will dramatically reduce the traffic to your website.
In addition expired SSLs can lead to service outages which in turn damage both your reputation, customer trust, and revenue stream.
2020 has witnessed several high-profile cases of online services disruption caused by expired SSL certificates.
GitHub’s CDN SSL Certificate expired and led to several malfunctions of its site, leaving millions of its users confused.
Spotify’s SSL certificate has expired and resulted in a major downtime in their music streaming services and many disappointed users.
When an SSL certificate expires, attackers are able to place themselves in the middle of a user’s browser or a web server, impersonating either one of them while these two try to communicate with each other. This creates a dangerous situation where the server is ensured he is exchanging information with the user’s browser, and vice versa, while the attacker is right in the middle able to view and harvest the sensitive data for malicious purposes such as data theft, fraud. such data often includes passwords, sensitive files, payment information, PII among others.
The Poodle Attack
The Poodle attack is actually a vulnerability of SSL V3.0 Protocol which is defined as “Padding Oracle On Downgraded Legacy Encryption”, AKA Poodle vulnerability.
The Poodle attack is a type of Man-In-The-Middle attack which allows sensitive data such as user information to be exposed to malicious attackers. This alarming situation happens when using the SSL version 3.0 for communicating encrypted transactions back and forth through the website server to the user’s browser. The vulnerability can lead to data theft and moreover, it can allow attackers to take over the whole web application by impersonating either the server or the browser. But for that to happen an attacker needs to first perform a MITM attack from start to end, then to hope the server uses the SSL V3.0 or persuade the server to use it by performing connection dropouts which will indicate that the user might not be able to use the same TLS protocol. This will force the server to try and use the previous version (SSLV3.). If both the MITM attack and the forces protocol were to succeed, now they are vulnerable to the Poodle attack which the hacker can take advantage of and come after the information communicated between the parties.
IS IT SO DIFFICULT TO RENEW SSL CERTIFICATES ON TIME?
In theory, no. There are plenty of accessible certificate management tools that are aimed to solve this problem. Yet, the rising number of headlines relating to cyber incidents resulting from expired SSL certificates are suggesting that this may not be that simple.
IT and security teams at a large-scale organization must keep track of hundreds if not thousands of websites and domains and make sure their certificates are renewed on time.
The problem? often teams are unaware of all the websites and domains that belong to their organization and its subsidiaries. Some of these sites and domains might have been created without their knowledge and others might have been forgotten or abandoned.
Even when using the most convenient automated tool you can only track the SSL certificates for websites and domains you are aware of.
HOW CAN REPOSIFY HELP?
Reposify’s External Attack Surface Management automatically creates an organization’s internet-facing asset inventory and analyzes them for a wide range of security issues including expired SSL, abandoned subdomains, etc.
The platform alerts you on any expired SSL certificates your organizations or any of your subsidiaries may have so your team can remediate the issue in real-time.
Contact our cyber experts today to get a comprehensive analysis of your external attack surface to discover all your internet-facing assets including domains and expired SSL certificates.