Skip to main content
banner image
venafi logo

4 Tips to Overcome Costly TLS Management Blind Spots

4 Tips to Overcome Costly TLS Management Blind Spots

May 26, 2021 | Anastasios Arampatzis

On 3 February 2020, Microsoft Teams suffered a service outage that lasted for about three hours. The outage—caused because Microsoft forgot to renew their TLS/SSL certificates—impacted more than 20 million users who used the business communication platform to collaborate. Then again, in May 2021, Microsoft's Exchange administration portal was offline after the company failed to renew an expired SSL/TLS certificate.

But outages are not the only problem that impacts availability. In March of this year, Let’s Encrypt announced revoking over 3 million TLS certificates to fix a bug they found in their backend code during a feature update. In an interview with Threatpost during that time, Venafi’s VP of Security Strategy and Threat Intelligence, Kevin Bocek, dubbed it as an incident that forced millions of machines to be untrusted and unavailable online, causing harm to customers that relied on them.

These incidents teach us a lot about the state of TLS certificate management. It’s clear that several enterprises don’t manage their certificates effectively because they lack security awareness, and defined policies around certificate management. Admittedly, if such snags can happen to tech giants like Microsoft, they certainly can cripple the core operations of other businesses regardless of their company size.

In this post, we will talk about some of the most common problems that organizations can run into when it comes to managing their TLS certificates.

Common Problems in TLS Certificate Management

In many organizations, the process of managing TLS certification is basically broken. Typically, there’s a central certificate services team in mid-size enterprises charged with issuing the security certificates. This team has the necessary knowledge about managing certificates well, but they don’t have the access to the systems that hold the certificates.

The responsibility to install the certificates is in the hands of different teams—such as system administrators and DevOps members. Many of these teams are oblivious of the best practices in certificate management—or the risks involved in lack of it. This is a challenge that often stems from a bigger problem, i.e., most organizations don’t have defined processes or clear roles and responsibilities to effectively manage certificates.

Despite the business-critical nature of TLS certificates, the majority of enterprises don’t leverage automation to keep a tab on their certificate management. As a result, businesses introduce a range of problems to their enterprise security and management. Below, let’s take a look at some of those risks:

  1. Untrusted or Compromised Certificates
    In 2015, Venafi surveyed more than 300 IT security professionals and found that most of them are aware of the risks that arise from untrusted certificates but they don’t take any action to mitigate the risks. The implications of inaction are hard to ignore.

    When a certificate is compromised, attackers can either bypass the antivirus software or self-sign a malware program. A few years back, when security researchers from the University of Maryland ran
    a field data analysis collected by Symantec on 11 million hosts, they found about 72 compromised certificates used for signing a huge pool of malware programs. The certificates were valid but didn’t produce any error message for the malware program when they went through the signature checks.

    Venafi found a similar striking revelation in
    a 2017 study that was carried out in partnership with the Cyber Security Research Institute. The research found that code signing certificates were up for sale on the dark web for around $1200. This means cybercriminals have lucrative financial incentives to steal certificates and sell them at higher margins before they expire.

  2. Compromised Certificate Authorities
    The list of CA compromises is longer than you may think. And it’s not just from breaches. CAs are supposed to be the bastions of security certificates, and you can generally trust them with absolute confidence. But occasionally a CA is compromised. And when that happens, it leads to a number of bad consequences. For instance, attackers can take advantage of the fraudulent certificates to launch man-in-the-middle (MitM) attacks and steal critical business data.

    As a response to such incidents, CAs often decide to mass revoke the compromised certificates in order to curtail further damage and save themselves from public embarrassment. Case in point—
    DigiCert revoked around 50,000 certificates in 2020 after being subject to an internal process error.

  3.  Weak Hashing Algorithms
    Over the past few years, globally renowned brands like LinkedIn and Yahoo! have fallen prey to high-publicity password leaks mostly caused by weak hash vulnerabilities which gave cybercriminals access to their user password hashes. Just like the Microsoft Teams’ example discussed above, these infamous password leaks highlight the fact that even large companies use weak hashing mechanisms that give cybercriminals easy access to crack user passwords.

    Weak hash functions occur when large messages are reduced to smaller hash values or if they produce the same value as other hash messages. On the other hand, a strong hash function is indefensible against such collisions. While it’s not possible to completely avoid hash collisions, a hash function that is too short (e.g., MD5 or SHA-1) is more prone to a high collision rate. Weak hashing algorithms allow cybercriminals to fabricate malicious programs to impersonate the hash values of genuine applications.

  4. Manual Processes
    A majority of businesses depend on cumbersome manual processes to manage their digital certificates. For instance, they rely heavily on storing certificate data on paper, spreadsheets, or simply in their heads.

    In addition to being time-consuming and highly error-prone, such manual processes make your enterprise susceptible to a variety of security risks. Imagine a scenario when a seemingly small typo can lead you to miss the certificate renewal deadline which in turn can result in a serious security breach or a system breakdown, which negatively impacts your business.

  5. Lack of Crypto Agility
    Crypto agility is an organization's ability to respond to a cryptographic threat—such as Heartbleed, SHA-1 breach, or even quantum computing—and adapt quickly to the new landscape. Sometimes, the threats can also stem from the sources of the cryptographic supply chain, such as in the case of Let’s Encrypt who revoked millions of TLS certificates out of the blue. Most organizations today are not crypto-agile, as is evident in the examples discussed above.

    Most organizations simply don’t have the planning, visibility, or the technology to manage hundreds of thousands of TLS certificates on their sites. As a consequence, they become easy targets for cybercriminals who are on a prowl to find loopholes in high-traffic websites.

What Can You Do to Address These Challenges?

In order to devise a proper response strategy and to mitigate the risk caused by the oversight of a digital certificate, here are four best practices your enterprise can incorporate.

  1. Define responsibilities and policies
    The lack of a clear organizational policy on certificate management often results in a lack of awareness among the end-users who become enablers to a certificate breach.

    Your executive leadership should establish a formal certificate management team and set specific implementation goals. The team—in conjunction with the company leadership—should enforce stringent policies around certificate purchase and handling, define clear roles and responsibilities around who owns the certificate management, design workflows to approve certificate issuance and renewal, and assign role-based access and permissions.

  2. Detect vulnerabilities and respond
    Rather than waiting for a security breach to occur, your business should take proactive measures to run safety drills to ensure all bolts are screwed tightly. This is where a regular audit comes in handy.

    As a standard practice, assign the certificate management team to use a
    vulnerability management tool to run weekly network scans. Penetration testing is yet another method that offers a good discovery and accuracy rate to check for loopholes in your network security.

    Finally, watch out for the latest updates on security vulnerabilities in TLS certificates online. There are
    plenty of online tools that can help you check the health of your SSL and keep an eye on the latest vulnerabilities and misconfigurations.

  3. Gain Visibility
    When it comes to certificate management best practices, visibility is much more than revoking and replacing expired certificates. Having a clear picture of your entire certificate lifecycle means you have a 360° view of your certificate management or can devise a contingency plan to curb any threats when needed.

    It’s a combination of smaller tasks like setting reminders for certificate renewals to higher-level planning like being compliant with the latest security protocols. This is important because outdated protocols can expose your sensitive data or open doors for MitM attacks.

    Start by making a list of all your device endpoints and make notes about their certificate issuance, installation, renewals, and replacements. Not only will this give you laser-like visibility in your certificate inventory but also help you reduce the chances of certificate-related outages.

  4. Automate Your Certificate Management Lifecycle
    You can save a lot of time and resources for your business if you automate the routine part of the certificate management cycle. With automation, you can set alerts for certificate expiration dates, facilitate certificate installation on network endpoints, and generate reports for the respective certificate owners.

    Automating the certificate management process lets you take your hands off of it and while ensuring that there won’t be any service outages caused by certificate expiries.

    Facilitating self-service certificate management is an important part of the solution since it empowers individual certificate owners to automate their SSL renewal cycle at their own pace. Automated and self-service certificate management ensures that certificate owners can manage the end-to-end process independently which can also help them identify impending risks quickly.

    To that end, the
    Venafi TLS Protect solution offers a portal that facilitates self-service automation to individual certificate owners and offers them a customizable dashboard and rich filtering to find assets quickly.

Outages owing to certificate expiries may sound like nothing more than blunderous glitches, until they lead businesses to grave security dangers. Don’t be a victim to certificate goof-ups. Learn how you can use a machine identity management solution to identify weaknesses in your security infrastructure and avoid costly certificate outages.

Related Posts

Like this blog? We think you will love this.
Featured Blog

Orchestration and Automation are Critical for Machine Identities

The challenges of identity-based zero trust security

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more