1 in 5 unique IP addresses are still using the vulnerable SHA-1 certificate, according to research by machine identity protection agency Venafi.
There are multiples issues SSL certificates can be exposed to, including vulnerabilities from attacks like POODLE or Heartbleed, weak cipher suites, and private key compromise. In the case of SHA-1 a successful collision attack back in 2017 – the product of two years of research and testing – forced the urge to upgrade. Once a cryptographic hash function is known to be vulnerable, there’s no going back.
Security breaches caused by vulnerable certificates can plague organisations and cause mass reputational damage through organisational distrust. Those such as 2017’s Equifax breach can also result in enormous lawsuits and have organisations needing to pay millions in damages to victims.
Vulnerable certificates have existed since the early 1990’s, and they represent a real security threat. To mitigate instances of vulnerable certificates ensure you have an inventory of all certificates, types and expiry dates being used in your network.
Why do SSL Certificates Expire?
SSL certificates are encryption and authentication facilitators. SSL Certificates expire because authentication must be evaluated and changed over time. Certificates are only valid for about twenty-seven months before they expire, this allows for industry rollover, and algorithm updates.
Certificates that are revoked by CAs (Certificate Authorities) are placed on Certificate Revocation Lists – groups of blacklists users can search through to confirm the validity of their certificate.
What does certificate vulnerability mean?
When SHA-1 was broken, the team noted that applications still relying on SHA-1, including digital certificate signatures, were all vulnerable. This put the information passed through these applications in a vulnerable place.
From BEAST to POODLE and Heartbleed, there have been several SSL certificate vulnerabilities over the years. Some of the vulnerabilities that can affect certificates include:
- Forged Certificates
- Attacker Encrypted Communications
- Expired SSL Certificates
To avoid misuses of certificates when moving servers or taking them offline make sure to identify, revoke and remove SSL certificates and replace with new, validated certificates. If you cannot locate a certificate you should revoke it.
How can you find and fix vulnerable certificates in your network?
Crypto-management platforms can bring agility to the safety and streamlining of digital business transformation. These tools can manage extensive amounts of SSL certificates, and inventory the in-use algorithms within your network to check if you are exposed to vulnerable algorithms such as SHA-1.
To help manage certificates on your network there are certain best practice rules you can follow. These include:
- Define an administrative process and response management process for certificate management
- Don’t use wildcard certificates
- Do not use self-signed certificates
- Restrict the validity of your certificates to shorter periods of time
- Don’t trust all CA’s
- Ensure you know all certificate expiry dates within your network
- Employ tools that automate the finding and validation of certificates.
- Revoke and replace certificates as needed.
Cogito Group is an award-winning cybersecurity company specialising in authentication, cloud security, identity management and data protection. Cogito Group protect the authentication methods used to access information through the use of Identity and other security technologies.