On May 21, LinkedIn users accessing the site from their desktop or laptop computers began to get alerts that warned them that their connection was not secure. It soon became apparent that LinkedIn had forgotten to renew the TLS certificate for its URL shortener, lnkd.in.
Roughly two years ago, the company experienced the same type of certificate-related event when an expired certificate rendered us.linkedin.com, uk.linkedin.com, ca.linkedin.com and several related websites inaccessible to users for a couple of hours. Yet again, LinkedIn responded quickly with a new certificate. But questions remain about the company’s overall treatment of machine identities. According to SecurityWeek “LinkedIn has once again put user data and privacy at risk by allowing a TLS certificate to expire.”
Kevin Bocek, chief cybersecurity strategist at Venafi, comments, “The plague of no visibility, intelligence and automation for machine identities—TLS keys and certificates—has hit another high-profile company. LinkedIn became untrusted on Tuesday when its TLS digital certificate expired.”
Downtime or security alerts are bad enough, but this type of certificate mishap could be a symptom of an even larger security issue. In the U.S. Government Accountability Office report on the Equifax breach, we learned that an expired certificate allowed attackers to bypass a security device that was tasked to inspect network traffic for suspicious packets. Even worse, the problem was not detected for a matter of months.
While in this instance, the expired certificate only triggered security warnings, expired certificates may also trigger more extensive consequences, such as certificate-related outages. Venafi Security Architect, Bill Madell, asks why we still have application outages caused by expired certificates.
“Let's face it, there’s one machine identity challenge that continues to plague large enterprises—certificate-related outages. They consume an inordinate amount of time and resources to fix, and to make matters worse, they are actually quite difficult to diagnose. When an application goes down, your IT and security response teams may follow several false avenues of investigation before identifying an expired certificate as the culprit. All this adds up to a huge drain on availability, not to mention productivity.”
Unfortunately, expired TLS certificates impact organizations across all regions, industries and sizes. According to a recent Venafi study of CIOs from the U.S., U.K., France, Germany and Australia, 60% experienced certificate-related outages that impacted critical business applications or services within the last year.
Why do outages like this continue to occur? Large organizations find on average over 50,000 previously unknown machine identities. This problem is becoming even more critical as organizations the volume and rate of change connected with machine identities increases. “The lack of comprehensive visibility and intelligence routinely leads to certificate-related outages. This is not a unique occurrence,” notes Bocek. “Ultimately, companies must get control of all of their certificates; otherwise, it’s only a matter of time until one expires unexpectedly and causes a debilitating outage."
To avoid the aftermath of an expired certificate, Bocek recommends that, “Businesses of all sizes, need real-time visibility, intelligence, and automation about where TLS keys and certificates that serve as machine identities are installed in order to eliminate these kinds of outages.”
How certain are you that your organization won’t experience an embarrassing, and potentially risky, certificate outage?