As businesses and web users become more security conscious, the use of SSL certificates has risen exponentially. They are everywhere. Websites and other online services use SSL certificates to create HTTPS connections that encrypt content as it flows over networks. A huge variety of services use certificates to validate the identity of the hosts they’re connected to. It’s no exaggeration to say the economy and global communications depend on SSL certificates. But SSL certificates have a quality that is both essential and dangerous — they expire.
SSL certificates have a fixed lifespan, after which they stop working. Certificates have to expire because permanently valid certificates could (and would) be abused. SSL certificates vouch for the identity of the holder, and that identity has to be checked every once in a while. Software rejects expired certificates and refuses to use them when establishing secure connections. An expired SSL certificate is worthless. But it is easy to forget to renew an SSL certificate: every big company has done so at some point, including Apple, Google, and Microsoft.
In the last year, there were two catastrophic cases of certificate expiry. They help underline how important certificates are to the web and the dangers of not implementing a rigorous certificate renewal process. In December, mobile data networks in several countries were severely disrupted. The UK’s O2 mobile network suffered a day-long outage that affected tens of millions of people and a swath of government and commercial services. The culprit was an expired certificate. Ericsson, which provides core software for mobile networks around the world, failed to renew a certificate and caused devastating service loss in 11 countries, potentially costing the company hundreds of millions of dollars.
Why Expired SSL Certificates Can Kill Your Business?
In 2017, Equifax exposed the personal data of 143 million Americans, including social security numbers and postal addresses. Equifax’s networks were breached through an unpatched vulnerability in the Apache Struts web framework. But what made the attack so dangerous was the length of time the attackers had access to Equifax’s networks — they were able to access 48 databases over 76 days. Failing to patch known vulnerabilities is irresponsible, but Equifax had systems in place to notify them of unauthorized network traffic. So why was the attack allowed to continue for so long? Because the company allowed 300 certificates to expire, removing its ability to monitor encrypted network traffic. The monitoring software’s certificate had expired 19 months before the attack.
For website and application owners, the stakes may not be as high, but an unmanaged certificate expiry can take a business offline and expose users to security risks. What can you do to mitigate that risk?
- Make someone responsible for managing SSL certificates. Imminent expiry often goes unnoticed because no one is responsible for dealing with it.
- Monitor the email to which expiry notifications are sent. Certificate authorities often send email notifications to warn companies that their certificates are about to expire. These notifications aren’t useful if they’re going to an inbox owned by an employee who left the company three months ago. Make sure they go to someone in a position to do something about it.
- Implement a process for certificate renewal and follow it. I am aware of a case in which a company noticed that a certificate was about to expire, bought a new certificate well in advance, but then failed to install it in time.
SSL certificates are a vital component of the infrastructure of web applications, eCommerce stores, cloud services, and every other organization that does business online. Don’t leave certificate renewal to chance.