Production Monitoring

Expired SSL Certificates: How Is This Still a Thing? 

December 10, 2015 | Beerit Goldfarb

You install an SSL certificate, thinking you've done right by your business.

Little do you know, you've set yourself up for one of the greatest pitfalls in modern computing. Implementing SSL is not a one-off solution; SSL certificates have nasty a habit of expiring at the worst possible time.

[gallery ids="404,402,401" type="rectangular" orderby="rand"]

 

Hah! I pay my webmaster too much to make such a rookie mistake.

That's possible, but irrelevant.

In 2013, Microsoft's Windows Azure went down due to an expired certificate.

azureoutage Ouch.

It took more than 19 hours to finally resolve the issue.

Later that year, analysts at Netcraft reported that party due to the government shutdown, hundreds of .gov websites were using expired SSL certificates. Yes, hundreds of official state websites were left wide open to attack and data theft.

Fast forward to April 2015, when expired Google certificates temporarily disrupted Gmail service, affecting people using Gmail through 3rd party email clients. The errors were triggered because the validity of the intermediate certificate signed by Google Internet Authority G2 did not receive an extension beyond April 4.

gmailwhoops Google's Apps Status Dashboard at the time of the issue.

As you can see, this problem took 2.5 hours to fix, during which time affected users could not access their Gmail accounts.

So, to recap:

  • It happens to Microsoft.
  • It happens to Google.
  • It happens to the United States government.

Just to name a few. If this trivial oversight can affect the world's largest companies, truly no one's immune. 

A refresher on SSL certification

An SSL certificate gives a client (e.g. your web browser) a way to authenticate the identity of an online service.

Service providers purchase SSL certificates from companies called Certificate Authorities (CAs), such as VeriSign or GoDaddy. Only an approved domain registrant can have a certificate issued to them by a CA.

CAa are systematically audited by other organisations to make sure they're playing nice and not issuing certificates haphazardly.

An SSL certificate does not actually encrypt the data sent. The data is encrypted with AES (or an available compatible symmetric encryption).

How can a certificate be fresh one day and expire the next?

Having an expiration date on certificates is an insurance policy for the end-user, as verified by a CA, stating that the service provider has updated their security policy recently.

All a valid certificate does is make sure the service provider is still aware, in the broadest terms possible, that they need to keep their service secure. 

That's it.

If there were no expiration date on certificates, there'd be no way for the end-user to know if the service he's about to entrust his data to has audited its security last week or last millennium.

(And the cynics among us could argue that this is intended to force service providers to pay the CAs an annual fee.)

Sounds like I don't really have to update my certificate at all!

Wrong.

Users confronted with warning messages about the security of your site take their business elsewhere. Don't make the mistake of assuming users don't give these errors credit. A 2013 study "demonstrates that security warnings can be effective in practice [...] users continued through 70.2% of Google Chrome’s SSL warnings. This indicates that the user experience of a warning can have a significant impact on user behavior."

As a service provider, this means

  • You lost your customer's trust
  • Your sales will suffer
  • Your brand's reputation will take a hit

Pretty gory.

So what should I be doing?

There are several options. Unfortunately, most of them require a sizable amount of manual work and accountability.

  • Set your connected servers or clients to accept expired certificates. Not the most elegant of solutions, needless to say.
  • Create new certificates yourself by having your own PKI system, rather than rely on an external vendor for new certificate creation. (Netflix have recently announced an interesting new open source release of "Lemur, their x.509 certificate orchestration framework).
  • Some CAs notify you of certificate expiration as part of their service, while others do not. Try to work with a CA that does.
  • Create a script that checks the expiration of an SSL certificate and sends an email beforehand. You can do something similar by creating a maintained database with the SSL name and expiration date, which you continuously monitor.
  • Maintain workflows that support auditing. Make sure there are periodic checks of your SSL certificates by your hosting provider and/or developers, or keep a master document with all the information about your SSL certificates. Set reminders around the dates in this document.
  • Buy one of any number of available tools that monitor and alert before your certification expires. Of course, a lot of these require that you manually input all your certificates (which could be a daunting task), and could cost anywhere from a few hundred to a few thousand dollars a year.
Where Loom Systems Ops comes in:
When working with Loom Systems Ops, certificates are automatically added, continuously monitored and expiration notified in advance. Loom Systems Ops users don't have to worry about remembering when to renew expiring certificates - ever again.
Pretty neat, eh?  Try It for Free

 

 

 

Tags: Production Monitoring

Looking for more posts like this?

 

New Call-to-action

Measure ROI from IT Operations Tools

 

 

New Call-to-action

Gain Visibility into Your OpenStack Logs with AI

 

 

New Call-to-action

Lead a Successful Digital Transformation Through IT Operations