Skip to main content
banner image
venafi logo

Old SSL Certificates May Be Putting Your Online Security at Risk

Old SSL Certificates May Be Putting Your Online Security at Risk

ssl security risk
September 19, 2018 | Guest Blogger: Kim Crawley

The SSL certificates that are required to encrypt your online services, such the HTTPS delivered web, are tied to domain names. Very often someone will own a domain name for a limited period of time. Let’s say for instance I bought the rights to for three years. During that three-year period, I made a secure website which uses that domain name, at URL I needed SSL certificates for the HTTPS protocol’s TLS implementation to work properly, so I had them made by a certificate authority and deployed them.

Time passes and I get bored with my JRPG video game fan website, and I don’t bother renewing my ownership of after the three year period. People still have SSL certificates on their PCs and mobile devices for the expired domain because they visited while I hosted a website there.

A few months after I let expire, someone else buys it. This presents a difficult cybersecurity problem. Some certificates have multiple domain names (“” and “,” for example). Sometimes one domain name remains registered to the same owner, but the other domain name expires, which really complicates the problem further. Researchers have even found a certificate with about 700 domain names on it!

Ian Foster and Dylan Ayrey created their Insecure Design project to bring attention to the problem of old SSL certificates and the changing ownership of domain names. Their BygoneSSL demo shows why this security problem is a major man-in-the-middle attack and denial-of-service attack vulnerability.

There used to be no simple way to track expired SSL certificates. Then in 2013, Google launched their Certificate Transparency project. According to the website:

“Google's Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections. These flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities. If left unchecked, these flaws can facilitate a wide range of security attacks, such as website spoofing, server impersonation, and man-in-the-middle attacks.

Certificate Transparency helps eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.”

Foster and Ayrey determined that about 7 million domain names share a certificate with a bygone domain!

Here’s how BygoneSSL denial-of-services work. A certificate has both “” and “” expires, but I maintain ownership of If someone else buys, my ownership for can be revoked because it is shared with That’s so devious and simple that even Arfoire would be impressed.

Here’s how BygoneSSL man-in-the-middle attacks work. My SSL certificate has my expired and my maintained Someone else buys I can then use my old certificate to authenticate into HTTPS sessions from’s new owner’s website, acting as a man-in-the-middle.

So, in both of these cyber attack scenarios, the new owner of can perform a denial-of-service of my website by revoking my domain name. But I can perform a man-in-the-middle attack on the new website.

The key to preventing this vulnerability is to keep track of your domain name ownerships and when they expire. If you decide to let a domain name expire, contact your certificate authority to revoke the certificates with the expired domains and generate new certificates that only have your currently owned domains. If you lose track, Google’s Certificate Transparency project may be able to help you find which of your domains have expired.

Related posts

Like this blog? We think you will love this.
Featured Blog

Researchers Find 3,200 Apps Exposing Twitter API Keys, Cite ‘BOT Army’ Threat

Key Findings:

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more