New EMA Research Report Spotlights SSL/TLS Certificate Management Challenges

The industry as a whole, as well as certificate authorities, browser developers, and businesses that depend on digital certificates for security, may be significantly impacted by this proposed change. With a validity period of a mere three months, public TLS certificates will require renewals not once but four times a year! While a renewal in itself isn’t necessarily a challenge, manual processes at scale are. According to the 2023 Enterprise Management Associates (EMA) Research Report sponsored by AppViewX (SSL/TLS Certificate Security – Management and Expiration Challenges), 28% of the top six questions on certificate management are questions related to certificate renewal. **The Current Certificate Management Landscape** **Security Risks Related to Expired Certificates: **The study investigated how many SSL/TLS certificates are still in use on the web today by looking at certificates on Port 443, the most popular HTTPS port used today. It is discovered that 61,498,655 connections out of over 147 million active Port 443 IP connections returned a certificate with a certificate expiration date. 5,936,298 (almost 10%) of these certifications were expired. This indicates that almost 10% of all publicly accessible websites on the internet are not functioning properly because of an expired certificate. Self-signed certificates, or certificates that weren’t issued by a certificate authority, make up 8,974,557 (15%) of the certificates that are accessible on the public internet and appear to have expired twice as frequently. Self-signed certificates pose a particular security risk since they need users to bypass browser security measures in order to use them, which opens the door for man-in-the-middle attacks. **Using Weak and Out-of-Date Cryptographic Protocols: **Prior to TLS version 1.3, client/server connections using SSL/TLS are vulnerable to man-in-the-middle attacks, in which attackers insert fraudulent signatures using outdated Md5 cryptographic hashes. This problem is fixed by TLS 1.3, which only permits stronger hash algorithms like SHA-256 and SHA-512. Therefore, TLS certificates should only be used with this cryptographic protocol today. However, only 21% of servers on the internet employ TLS 1.3, which means that 79% of SSL certificates currently in use are still vulnerable to man-in-the-middle attacks. Numerous organizations are yet to implement TLS 1.3 since TLS 1.2 has not yet been deprecated, and TLS 1.3 adds new security features that can be challenging to configure accurately. The possibility of higher expenses and drawn-out deployment durations is the reason behind this. Furthermore, the continued usage of obsolete TLS versions, which account for almost 41% of all connections, is a potentially dangerous security practice. **Exposure to Critical Vulnerabilities: **It is interesting to note that the top 10 vulnerabilities currently linked to IP addresses listening on port 443 are disproportionately associated with expired certificates (10%) and self-signed certificates (15%), which make up a sizeable portion of the certificates available on the public internet. An average of 22% of the top 10 vulnerabilities are caused by IP addresses with expired certificates, and 23% are caused by IP addresses with self-signed certificates. … **Vulnerability to Cyberattacks:** Improper certificate management can lead to significant vulnerabilities in an organization’s security posture. Certificates play a crucial role in establishing secure communication channels and verifying the identity of servers, devices, and users. If certificates are not managed effectively, cybercriminals can exploit weak or expired certificates to launch man-in-the-middle attacks, intercept sensitive data, and compromise network integrity. EMA report states that nearly 80% of SSL/TLS certificates are vulnerable to man-in-the-middle attacks. … **Operational Disruptions: **Certificates have an expiration date, and their proper management involves timely renewal and replacement. Failure to do so can lead to operational disruptions and outages, as expired or revoked certificates can cause services to become inaccessible or generate errors. This may impact business continuity, disrupt customer experiences, and lead to costly downtime for critical systems. The majority of expired certificates seem to belong to nonprofit organizations and certain local government bodies, with.org subjects being expired 15% of the time. With a 12% expiration rate, commercial companies with conventional .com names rank second. **Increased Attack Surface:** Inadequate certificate management can lead to an increased attack surface for cybercriminals to exploit. Organizations may end up with numerous unnecessary or duplicate certificates, making it harder to track and manage them effectively. A bloated certificate landscape increases the risk of unmonitored and insecure certificates, making it easier for attackers to find weak points and penetrate the organization’s defenses.