Skip to content
Now Available: Threat Detection, Defense & Remediation using ASM | Read Now
Blog

The TL;DR on Certificate Hygiene and Why It’s Important for your Website Availability

Share

March 5, 2021

Have you ever visited a website and you see this instead of the webpage?

Screenshot, "Your Connection is not Private" message from your browser.

If you’re like most folks, you do what your browser says and you “STOP!”

What does a warning like this tell you anyway? Well, it can be a number of things, which we will flush out in more detail later in this post:

  1. Website might not have a certificate: The website you are trying to reach doesn’t have any certificate at all, so your browser has no way of knowing if the owner of the site is who they say there are. In other words, you cannot trust who is sending the information from this website.
  2. Certificate is using an unacceptable encryption standard: The website you are trying to access has a certificate, but the encryption standard it’s using is insufficient or sub-standard.by bad actors and those actors can see your info that you send to the website.
  3. Certificate is expired: The certificate on the website you are  trying to access is expired.
  4. Browser dispute: There’s a dispute between your browser (Chrome, Safari, Edge, Internet Explorer, Firefox) and the Certificate Authority on the validity of the certificate.

Your browser made an initial connection with a website and made some determined it’s not safe to proceed, as someone nefarious may intercept it.

Why Does this Warning Matter for Your Business?

As we all know, the availability of your services impacts your bottom line, full stop. CSO Online found, “When it comes to business continuity costs, the biggest part, or $4.2 million, is brand image damage, followed by $4.1million in lost revenues, and $3.4 million each for lost productivity and remediation expenses.”

If you’re the owner of a website, these warnings can be catastrophic to your business or mission and can be very consequential to your bottom line. This has never been more evident than in the midst of a pandemic. Vaccination distribution relies on unfettered website access for inoculation appointments. Restaurants need website orders to supplant walk-in revenue. Retailers have had to move their stores onto websites to stay in business. This surge in digital transformation has impacted every aspect of business and beyond.

How can the Censys Attack Surface Management Platform help? Censys has the best data out there via our Universal Internet DataSet, which directly translates into the best visibility of the Internet. Censys scans the entire Internet daily and enriches the information with certificate resources resulting in the largest certificate repository in the world, or 5 billion certificates! This means that if there is (or was) a certificate out there to be found, we’ll find it and you can search for it.  You can also leverage Censys’ Internet-wide scanning capability to find all publicly exposed web servers. If you have a website you want to check, the Censys ASM Platform easily presents this information to you so that you can address any certificate issues quickly.

Website might not have a certificate. So you have a website, let’s say “yourgreatsite.com” and you want to ensure it has a valid certificate.

  • Use the Censys Attack Surface Management Platform to find your Domain (or website address, “yourgreatsite.com”) and the related IP addresses. Once you click on those IP addresses, or hosts, you can scroll to the bottom of the page to ensure it has a certificate and there aren’t any issues that might give your visitors pause.

Screenshot of ASM, highlighting certificate location in the User Interface.

  • Use Censys Search to find “yourgreatsite.com” to pull up possible results and investigate the host to see if any of its open ports are presenting a valid certificate.

Certificate is using an unacceptable encryption standard. So you’ve confirmed you have a valid certificate, meaning it’s current and hasn’t expired, but it seems the encryption key is weak. What does this mean? Well, in addition to verifying the owner via a third party (the Certificate Issuer), certificates also verify to visitors that their connections are secure. This enables them to transmit credit card or other sensitive info without worry. A certificate running old encryption means that it can be compromised, allowing an attacker to see the sensitive info that they might otherwise enter onto your website.

  • Go to the Censys Attack Surface Management Platform and go to the Certificate tab. Filter results by selecting “Key Type,” then “is not,” then any option where the first four digits are “1024” or over, or that says “ECDSA.”

Screenshot of ASM Platform. Showing you how to find the key type used in your TLS / SSL certificate.

  • Any certificates presented will likely have a “weak” key. Click on the certificate and scroll down to view the Key Type and Strength in the right column.

Screenshot of ASM Platform. Weak certificate example, key type no longer the standard.

Expired Certificate. When one sets up a certificate either by doing it themselves or purchasing one through a Certificate Issuer, it has a life span, much like a credit card. If a certificate isn’t renewed, it will expire and will almost certainly cause problems for your website visitors.

  • Go to Censys Attack Surface Management Platform on the Certificate tab. Go to the alert card at the top of the page with the red triangle that says “Expired” and click on “View.” A list of all expired certificates will be displayed.

  • If you want to get a head start on expiring certificates, click on any one of the other alert cards like “Expiring Within The Next Week,” or “Expiring Within The Next Month.”

  • You can also view expired or expiring certificates by clicking the Risk tab on the Dashboard and scrolling down to the “Expiring Assets” window.

You think you’ve done everything right with your certificate, but there’s still a warning in one of the browsers. You implemented a certificate for your website domain, it’s not expired, and its encryption key is top notch – but there’s still an error! Why does this happen?  This can occur when there’s a dispute between the certificate issuer and the web browser manufacturer, like when Google had an issue with Symantec’s certificates in 2017 and all of a sudden websites were presenting visitors with warnings and errors. Other times, there’s a technical snafu in applying the certificate to the wrong port or the wrong system.

Go to the Censys Attack Surface Management platform and go to the Certificate tab. Filter results by selecting “Browser Trust,” “is not,” and then select whichever browser type you want or select all of them with the “or” operator. The resulting list will be any certificate that has a browser trust issue and is presenting a warning or error to visitors.

Effective ASM Means Better Cert Management

Now that you understand the consequences of poor certificate hygiene, what should you do if you come across a certificate error within your organization? Well, unless you’re an IT or security professional, the best course of action is to contact the person who manages your website. You can tell them about the information you’ve uncovered using Censys. They should be able to use this information to then solve the problem.

To learn more about Censys and how we give you the best attack surface management visibility across your ecosystem, reach out today!

Attack Surface Management Solutions
Learn more