Skip to main content
banner image
venafi logo

Expired Certificates Expose Ongoing Machine Identity Troubles at Major Brands

Expired Certificates Expose Ongoing Machine Identity Troubles at Major Brands

expired-certificate-outage
June 6, 2022 | Brooke Crothers

Expired Certificates at Spotify and Aruba Networks and problems at Verifone underscore the fact that major brands are grappling with a surge in machine identity issues.

Are you facing a machine identity crisis? Venafi can help you out.
">
Aruba Networks is latest brand with certificate issues

Aruba Networks is the latest to acknowledge an issue with expired certificates.

As of Monday June 6, when accessing the Feature Navigator website via Firefox you’re met with the message: “it’s likely the website’s certificate is expired, which prevents Firefox from connecting securely. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.”

Venafi CEO Jeff Hudson warns about perils of the complacency that results in certificate-related outages and worse. “Certificates are machine identities and are used in attacks.  When the world is lulled into complacency and is not vigilant, security is compromised,” said Hudson when commenting on the Aruba outage.

The Aruba site certificate expiry incident highlights the need for organizations to treat certificate expiration as security events, says Pratik Savla, Lead Security Engineer at Venafi.

“Depending on the site or service that’s in question, these instances should be handled akin to managing an incident response workflow as such instances have the potential to even facilitate security breaches,” Pratik said.

End-of-life terminals pose potentially large problem

While the Aruba issue appears to be relatively minor in the scheme of things, a much larger problem may be lurking out there on payment terminals. 

Starting in May, there was a “nationwide disruption” to Verifone H5000 card payment terminals, according to golem.de, a German-language IT news site.

Payments with debit or credit cards were not possible, forcing customers to pay in cash at many locations in Germany, according to the report. The H5000 terminal problem has impacted large retail chains and gas stations as well as smaller retailers, the report said.

A German-language pop-up on a Verifone H5000 support page confirms the payment processing problem but goes on to say that that the issue is not related to a certificate expiration. The statement on the support page closes by saying that Verifone has “developed an update…to fix the problem.”

“We know for sure it is not a security issue nor a certificate expiration,” a Verifone spokesperson told Venafi. “Rather, it is a software malfunction in the H5000 software.”

“The Verifone H5000 series is not being sold or shipped by Verifone as of late 2019; all the other Verifone terminals available on the market are not affected,” Verifone added.

But some are disputing the claim that it is not an expired certificate. A long twitter thread from Jan Wildeboer, who describes himself as a Red Hat EMEA Evangelist, claims it’s a certificate problem on H5000 terminals that are EOLed or at end-of-life.

“It seems an update was available…But many H5000 did not get that update and now, as the certificate has expired, this update cannot be installed in the usual way,” Wildeboer said in a tweet.

“As this signing stuff isn’t your standard x.509 PKI (it’s really old stuff) Verifone is legally/philosophically correct when they say it isn't a certificate issue,” Wildeboer said in a comment to Venafi, implying that it may be more a matter of semantics. 

Supporting the certificate expiration argument, multiple comments in this Hackaday article point to a possible issue with certificate expiration on the H5000.

Whatever the case, it may be an indicator of a broader problem with certificates on point-of-sales (POS) terminals that are EOL.

“The concern is always that when it comes to end of life stuff, you're losing security fixes,” says Venafi’s Savla.

“So, I mean the security nightmare is already there. The certificate expiring [if that’s the case] just adds more fuel to the fire,” Savla says.

Spotify: clear cut certificate expiration

Publishers and listeners for podcasts on Megaphone, owned by Spotify, faced service disruptions after the outage. Listeners, for example, lost access to their favorite podcasts.

Though the certificate outage was resolved, it was a massive disruption for Spotify.

An SSL certificate authenticates a website's identity and enables an encrypted connection, a necessary security measure. An SSL secured website always has “HTTPS” in the URL, replacing the older, less secure HTTP. 

“When these critical security assets expire unexpectedly, they leave consumers without access to data, services and applications,” according to Kevin Bocek, VP Security Strategy & Threat Intelligence at Venafi.

Spotify confirmed the platform outage “due to an issue related to our SSL certificate."

“During the outage, clients were unable to access the Megaphone CMS and podcast listeners were unable to download podcast episodes from Megaphone-hosted publishers. Megaphone service has since been restored,” a Spotify spokesperson told the media.

Venafi solution

Expired certificates not only cause outages but can also act as the gateway for criminals to infiltrate corporate networks, notes Savla.

“Not only can expired certificates cause unplanned system or service outages as has been seen several times over in different incidents, but what is not equally well-known is that they can also open the door through which malicious actors can find entry into one’s environment,” Savla said.

Proper and timely renewal of expired certificates is key to mitigating man-in-the-middle attacks, according to Savla. “The first step is to make sure that you develop and continuously update a detailed certificate inventory. Next, expiry notifications should be setup to ensure it reaches the right owners ahead of time. This includes a set period starting at least a month before the expiry date for non-critical systems and starting with at least two months before the expiry date for systems deemed critical.”

Venafi solutions include the Venafi Trust Protection Platform (TPP) and Venafi as a Service (VaaS).

Related Posts

 

Like this blog? We think you will love this.
eliminate-outages-with-machine-ide
Featured Blog

Why Stopping Certificate Outages Starts with an Outage Safety Net

We’ve also talked a lot in this blog about how to eliminate outages.

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Brooke Crothers
Brooke Crothers
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more