Skip to main content
banner image
venafi logo

Certificate Outage: British Conservative Party Learns a Tough Lesson about Controlling Encryption

Certificate Outage: British Conservative Party Learns a Tough Lesson about Controlling Encryption

certificate outages
January 16, 2018 | David Bisson

The United Kingdom's Conservative Party recently forgot to renew the security certificate for its website. It’s ironic that government officials who are pushing for backdoors into encryption don’t seem to be able to manage it all that well themselves. In their defence, it’s no easy matter to control encryption without the proper tools. That’s one of the reasons why their site is not the first to be impacted by certificate outages. And it’s not likely to be the last. Others weathered the same embarrassment in the past year alone, a frequency which will hopefully spur others to rethink how they're managing their certificates

On 8 January 2018, visitors to www.conservatives.com encountered something they weren't expecting: an alert message. The warning told them their intended destination might be suffering from security issues. As preserved by The Register:

Your connection is not private. Attackers might be trying to steal your information from www.conservatives.com (for example, passwords, messages or credit cards).

It didn't take long for users to figure out what had happened. Amidst the fervor of British Prime Minister Theresa May's Cabinet reshuffle and pending appointment of a Brexit minister, someone at the Conservative Party had forgotten to renew the SSL certificate for the website. Hence the warning from web browsers that someone could potentially be impersonating www.conservatives.com in an attempt to steal visitors' information.

The Internet had a lot of fun with this discovery…at the Conservative Party's expense, not surprisingly. Here are some of the best tweets from users responding to the certificate outage:

conservative-1.png

conservative-2.png

https://twitter.com/rcolvile/status/950321098704506880

https://twitter.com/davorg/status/950328068454969345

https://twitter.com/wallaceme/status/950324082322673670

conservative-3.png

As of this writing, the site is back online after someone renewed the certificate for www.conservatives.com.

The Conservative Party might feel embarrassed after suffering the certificate outage. It shouldn't be too hard on itself, however; its experience isn't particularly extraordinary. On the contrary, many organizations suffered outages of their own in 2017.

Here are a couple that stand out:

  1. LinkedIn

    On 30 November 2017, LinkedIn suffered a global outage due to an expired SSL certificate. The outage rendered us.linkedin.com, uk.linkedin.com, ca.linkedin.com, and several related websites inaccessible to users for about an hour. Each of the affected services displayed a 'CERT_DATE_INVALID' warning.

    Those on Twitter were quick to point out the damages a certificate outage can cause to an organization, even one as big as LinkedIn. Information security and management professional Aleksandar Valjarevic put it this way:

    https://twitter.com/DrValjarevic/status/940825085476245505

conservative-4.png

LinkedIn restored service to the affected websites by 11:30 EST.

  1. HelloSign

    HelloSign is one of the world's leading free eSignature platforms. It allows users to send and receive electronic signatures securely. They can do so with either its end-user solution or its eSignature API.

    For a brief period on 6 June 2017, users weren't able to access HelloSign's services. An expired SSL certificate on its application rendered browsers and API integrations inoperable at 11:27 PDT. Tradition and procedure adjustments related to compliance had something to do with the outage. So too did HelloSign's decision to separate its website (www.hellosign.com) from its app (app.hellosign.com) a few months previously.

    As the company explains in a statement released at the time:

    When checking for expiration dates, we checked 'www' since our browsers told us when the expiration date is. Earlier this year, we moved the web-application to app.hellosign.com and off of www.hellosign.com, and moved 'www' to a new certificate.

    The outage lasted all of 26 minutes. Still, that didn't prevent some from commenting on the incident. One Twitter user didn't mince their words:

    https://twitter.com/Cryptoki/status/872194092318552067

conservative-5.png

The Need for Better Certificate Management

The incidents involving the Conservative Party, LinkedIn and HelloSign highlight the need for organizations to better manage their certificates. Given the number of certificates deployed in today's increasingly complex IT environments, however, many organizations must look beyond manual processes. Instead they must look to an automated solution that helps them discover all their certificates and then monitors those encryption assets for vulnerabilities and signs of misuse.

The Venafi Platform can help organizations can this level of visibility over their certificates. You can learn more about this solution here.

Related blogs/span>

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

https phishing, tls certificate, phishing scam

FBI Warns Users about Phishing Campaigns that Leverage HTTPS Websites

About the author

David Bisson
David Bisson

David Bisson writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat