Digital Certificates Riddled With Security Weaknesses – Source: securityboulevard.com

A study published today found 79% of certificates on the internet are vulnerable to man-in-the-middle (MitM) attacks, with as many as 10% expired or self-signed (15%) in a way that is considered insecure.

The study, conducted by Enterprise Management Associates on behalf of AppViewX, a provider of automated machine identity management (MIM) and application infrastructure security services, also found only 21% of servers on the internet are using version 1.3 of the Transport Layer Security (TLS) protocol that enables encryption.

In total, 45% of the IP addresses analyzed that are exposed to unpatched vulnerabilities also had expired certificates (22%) or self-signed certificates (23%).

Christian Simko, vice president of product marketing for AppViewX, noted that the number of expired certificates is only going to increase. Google is making a case to require organizations to renew TLS certificates every 90 days. Most organizations, however, don’t have the processes in place that would enable them to automate those renewals, said Simko.

In general, cybersecurity professionals would be well-advised to be wary of MitM attacks that are often difficult to detect as cybercriminals secretly relay and potentially alter communications between parties. Protocols such as the latest version of TLS include some form of endpoint authentication verified by a third-party certificate authority to prevent MITM attacks. The challenge is the continued widespread use of older secure socket layer (SSL) certificates that are much simpler to compromise.

Despite the fact that outages continue to occur because certificates have not been renewed, far too many organizations have yet to incorporate certificate management into the DevOps workflows they already use to deploy web applications, noted Simko. As a result, certificate management is still a manual process that many organizations largely overlook because there’s not an automatically generated renewal reminder, he added.

In effect, each digital certificate, if not renewed, represents a potential timebomb capable of disrupting any number of business processes. In an ideal world, organizations would have visibility into which digital certificates could potentially disrupt specific workflows. That’s especially critical as more organizations embrace digital business transformation initiatives that are dependent on valid certificates being continuously updated.

Part of the issue is simply that, in many organizations, there’s a clear lack of responsibility for managing digital certificates. In many cases, the IT administrator that initially provisioned a certificate left the company. The only record that certificate even exists is a long-buried spreadsheet that may or may not be checked before a certificate expires.

Of course, if Google has its way, certificate management will become an ongoing process rather than a sporadic event. That should help improve cybersecurity as more organizations embrace the latest versions of TLS whenever certificates need to be updated. In the meantime, however, organizations may want to assume things will get worse before getting better as cybercriminals become more adept at exploiting the weaknesses of existing certificates that may not expire before the next cyberattack is launched.