The United Kingdom's Conservative Party recently forgot to renew the security certificate for its website. It’s ironic that government officials who are pushing for backdoors into encryption don’t seem to be able to manage it all that well themselves. In their defence, it’s no easy matter to control encryption without the proper tools. That’s one of the reasons why their site is not the first to be impacted by certificate outages. And it’s not likely to be the last. Others weathered the same embarrassment in the past year alone, a frequency which will hopefully spur others to rethink how they're managing their certificates
On 8 January 2018, visitors to www.conservatives.com encountered something they weren't expecting: an alert message. The warning told them their intended destination might be suffering from security issues. As preserved by The Register:
Your connection is not private. Attackers might be trying to steal your information from www.conservatives.com (for example, passwords, messages or credit cards).
It didn't take long for users to figure out what had happened. Amidst the fervor of British Prime Minister Theresa May's Cabinet reshuffle and pending appointment of a Brexit minister, someone at the Conservative Party had forgotten to renew the SSL certificate for the website. Hence the warning from web browsers that someone could potentially be impersonating www.conservatives.com in an attempt to steal visitors' information.
The Internet had a lot of fun with this discovery…at the Conservative Party's expense, not surprisingly. Here are some of the best tweets from users responding to the certificate outage:
As of this writing, the site is back online after someone renewed the certificate for www.conservatives.com.
The Conservative Party might feel embarrassed after suffering the certificate outage. It shouldn't be too hard on itself, however; its experience isn't particularly extraordinary. On the contrary, many organizations suffered outages of their own in 2017.
Here are a couple that stand out:
LinkedIn restored service to the affected websites by 11:30 EST.
The Need for Better Certificate Management
The incidents involving the Conservative Party, LinkedIn and HelloSign highlight the need for organizations to better manage their certificates. Given the number of certificates deployed in today's increasingly complex IT environments, however, many organizations must look beyond manual processes. Instead they must look to an automated solution that helps them discover all their certificates and then monitors those encryption assets for vulnerabilities and signs of misuse.
The Venafi Platform can help organizations can this level of visibility over their certificates. You can learn more about this solution here.