Treat Essential Security Certificates as Valuable Assets

Any activity conducted on the Internet must ultimately rely upon security certificates. These Secure Sockets Layer (SSL) certificates are what businesses and organizations trust and rely on when it comes to ensuring that any sort of transaction is kept secure and encrypted. Digital certificates and SSL are everywhere.

Due to their ubiquity, certificates are increasingly targeted by bad actors, who have become more creative in looking for a route into networks or to access applications. Just this year, code-signing certificates stolen from multinational technology company Nvidia were used to certify malware as genuine software tools, allowing bad actors to bypass security controls and attempt attacks.

Why You Should Pay Attention to Certificates

Alongside increasing attacks, there's also the matter of operational management. An expired certificate can lead to your website and services failing, interrupting staff, and stopping customers from making purchases. In May 2022, Spotify's service was down due to a lapsed certificate owned by a company it acquired, ultimately stopping millions of users from listening for several hours. In another example, Let's Encrypt saw one of its root certificates expire in September 2021, which led to downtime for a range of Internet services and websites, including Shopify and Netlify, which support thousands of companies doing business online.

Tracking SSL certificates is seen as a nuisance or low priority for IT teams, but any missed or overlooked certificate can lead to potential headaches around service availability. While it's easy to take these certificates for granted, they should be treated as valuable assets.

Looking at over 3 million certificates in our service inventory, we found that more than 7% of the certificates deployed have already expired and nearly 21% would expire in the next 90 days. Similarly, approximately 9% of websites have inadequate security based on the grade of the current certificate, according to their SSL Labs ratings. For these expired certificates, 48% were still using TLS1.2, 43% were using TLS1.1, and those using RC4 accounted for 12%.

If your organization provides a service online, then it is only as available as your SSL certificate. If you provide technology that is embedded in other companies' products — such as a cloud platform — then it can affect all the clients that rely on you, scaling up the problem. Keeping certificates current and secure should be a priority.

Why Do Issues Around Certificates Exist?

There are four main reasons why a security certificate might have inadequate security.

Preventing Problems Is Better

To prevent these kinds of problems, certificates must be treated as valuable assets rather than afterthoughts. Where to start?

Build an inventory of certificates with status information. With a multitude of certificates involved for most enterprises, automating this process will ensure that it is more efficient and easier to manage at scale.

Maintaining this list of certificates should help you spot gaps, such as self-signed certificates or ones that are close to their expiration date. By preventing issues before they lead to downtime, you can improve the overall approach to security and what the rest of the business sees.

For external-facing websites that use certificates, free tools like SSL Labs can easily demonstrate how well any site is set up, from a security perspective. This will include recommendations on what to do to improve security and remove problems. For developers building sites, this should be a standard part of their process.

Similarly, any developer working on internal applications should know how they use certificates in their applications internally, and they should be tracked, too. For other teams that might have to support certificates, from IT operations through to IT security teams, this insight into what certificates exist should be very useful as well. If developers aren't tasked with this, then carrying out discovery and inventory will be necessary to track certificates just like any other IT asset across the business.

Security certificates are necessary to make applications work, and to ensure that those services can be trusted. Managing them well and treating them as valuable assets is essential for security hygiene and to prevent issues. Even the littlest things can make a difference to security and delivering services.