The Role and Challenges of SSL/TLS Certificates
SSL/TLS certificates are integral to securing online communications and transactions, functioning as the encryption mechanisms for sensitive data, the authenticators of user identities, and the bulwarks against various cyber threats. However, their efficacy is being undermined by the shorter lifespan of digital certificates and the ensuing challenges posed by their frequent renewals, a situation made perilous by the absence of automation.
The Impact of Google's TLS Validity Proposal
Google's recent suggestion to decrease TLS validity from 398 days to just 90 has amplified the complexity of certificate management. Organisations, regardless of size, must now brace themselves for the daunting task of quarterly certificate renewals. Are our current processes robust enough to manage this change?
Statistics Spotlight: SSL/TLS Certificates in the Wild
The 2023 Enterprise Management Associates (EMA) report reveals some startling statistics about the state of SSL/TLS certificates on the internet:
- A meagre 21% of servers employ the advanced TLS 1.3.
- About 79% of the currently used SSL certificates are vulnerable to man-in-the-middle attacks.
- Roughly 25% of the online certificates, consisting of expired (10%) and self-signed (15%) ones, pose a significant security risk.
- Around 45% of IP addresses with the Top 10 vulnerabilities also had expired or self-signed certificates.
The Trouble with Self-Signed and Expired Certificates
Nearly 10% of all publicly accessible websites are dysfunctional due to expired certificates. Moreover, self-signed certificates, not issued by a recognised authority and therefore insecure, make up 15% of the certificates on the public internet and seem to expire at twice the rate. These certificates require users to bypass browser security, making them particularly susceptible to man-in-the-middle attacks.
Industry Guidance on Certificate Management and System Hardening
Authorities such as the Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber Security Centre (NCSC UK), and the Australian Cyber Security Centre (ACSC) have raised alarms about these concerns and issued guidelines on system hardening and certificate management. In its July 2023 update, the ACSC emphasised the significance of utilising updated operating systems for improved security functionalities, particularly the added measures available in 64-bit versions.
The Benefits of Automating Certificate Management
By shifting from manual to automated certificate management, organisations can assure timely certificate renewals, reduce the risk of expired certificates, and streamline the entire certificate lifecycle. Automation enables IT teams to concentrate on strategic tasks rather than on tedious manual tracking and administration, thereby enhancing security, compliance, and overall efficiency of certificate management practices.
Given the current state of internet security, a drastic overhaul in our approach to certificate management is required. The transition from a manual to an automated system is no longer just a strategic choice, but an absolute necessity for maintaining a resilient cybersecurity posture. With higher stakes for businesses and consumers, comprehensive certificate management solutions like those offered by industry leaders such as AppViewX become indispensable.
