The United Kingdom's Conservative Party recently forgot to renew the security certificate for its website. It’s ironic that government officials who are pushing for backdoors into encryption don’t seem to be able to manage it all that well themselves. In their defence, it’s no easy matter to control encryption without the proper tools. That’s one of the reasons why their site is not the first to be impacted by certificate outages. And it’s not likely to be the last. Others weathered the same embarrassment in the past year alone, a frequency which will hopefully spur others to rethink how they're managing their certificates
On 8 January 2018, visitors to www.conservatives.com encountered something they weren't expecting: an alert message. The warning told them their intended destination might be suffering from security issues. As preserved by The Register:
Your connection is not private. Attackers might be trying to steal your information from www.conservatives.com (for example, passwords, messages or credit cards).
It didn't take long for users to figure out what had happened. Amidst the fervor of British Prime Minister Theresa May's Cabinet reshuffle and pending appointment of a Brexit minister, someone at the Conservative Party had forgotten to renew the SSL certificate for the website. Hence the warning from web browsers that someone could potentially be impersonating www.conservatives.com in an attempt to steal visitors' information.
The Internet had a lot of fun with this discovery…at the Conservative Party's expense, not surprisingly. Here are some of the best tweets from users responding to the certificate outage:
As of this writing, the site is back online after someone renewed the certificate for www.conservatives.com.
The Conservative Party might feel embarrassed after suffering the certificate outage. It shouldn't be too hard on itself, however; its experience isn't particularly extraordinary. On the contrary, many organizations suffered outages of their own in 2017.
Here are a couple that stand out:
On 30 November 2017, LinkedIn suffered a global outage due to an expired SSL certificate. The outage rendered us.linkedin.com, uk.linkedin.com, ca.linkedin.com, and several related websites inaccessible to users for about an hour. Each of the affected services displayed a 'CERT_DATE_INVALID' warning.
Those on Twitter were quick to point out the damages a certificate outage can cause to an organization, even one as big as LinkedIn. Information security and management professional Aleksandar Valjarevic put it this way:
LinkedIn restored service to the affected websites by 11:30 EST.
HelloSign is one of the world's leading free eSignature platforms. It allows users to send and receive electronic signatures securely. They can do so with either its end-user solution or its eSignature API.
For a brief period on 6 June 2017, users weren't able to access HelloSign's services. An expired SSL certificate on its application rendered browsers and API integrations inoperable at 11:27 PDT. Tradition and procedure adjustments related to compliance had something to do with the outage. So too did HelloSign's decision to separate its website (www.hellosign.com) from its app (app.hellosign.com) a few months previously.
As the company explains in a statement released at the time:
The incidents involving the Conservative Party, LinkedIn and HelloSign highlight the need for organizations to better manage their certificates. Given the number of certificates deployed in today's increasingly complex IT environments, however, many organizations must look beyond manual processes. Instead they must look to an automated solution that helps them discover all their certificates and then monitors those encryption assets for vulnerabilities and signs of misuse.
The Venafi Platform can help organizations can this level of visibility over their certificates. You can learn more about this solution here.