How many of us carelessly click through the certificate security warnings that occasionally pop up on our browsers? Probably more than you’d guess. It’s getting better, though, as more of us are becoming aware of the risks associated with ignoring these warnings, which can be greater than you think. But should the responsibility be on the end-user to heed these warnings? Or should it be on enterprises to ensure the use of up-to-date, secure certificates to avoid the issuance of warnings altogether? Both.
In 2015, a research study revealed that 70% of Chrome users were guilty of ignoring browser security warnings. This inspired Google to simplify the warning Chrome presents when the user is connecting to a server with an invalid or risky certificate. Below is an example of a Chrome certificate warning, which uses several methods, including color, text, and imagery, to indicate that connecting to this site could be dangerous.
Most of us will admit to ignoring browser certificate warnings occasionally. Some find these warnings confusing and others simply want quick access to the site they’re visiting. But these warnings are important since they identify websites with invalid or weak certificates that shouldn’t be trusted. So ignoring them undermines your browser’s ability to protect against fraudulent certificates that can be used by bad guys in attacks.
SSL/TLS certificates help provide secure connections for all our online communications, and when used incorrectly they just aren’t as effective as they were designed to be. We’ve seen a variety of publicized cases where invalid SSL/TLS certificates have led to Man-in-the-Middle (MITM) attacks that have exposed personal or confidential data to cyber-thieves and eavesdroppers.
The good news is that, as individuals, we’re all getting much better at understanding the risks associated with ignoring such warnings. But we don’t control what’s happening on the other end of the wire…the businesses with which we communicate. We need them to ensure their services and applications are using valid, secure, and up-to-date certificates. Because the more these warnings pop up, the more we’re likely to ignore them.
And when businesses discover a certificate-related vulnerability, they need to fix it—quickly. Intel did just that when they patched a serious SSL vulnerability in their Intel Crosswalk Project, an open-source, cross-platform mobile development and runtime environment.
In July, researchers at Nightwatch Cybersecurity publicly shared an SSL vulnerability in the Android implementation of Intel Crosswalk. They discovered that when a warning about an invalid or self-signed SSL/TLS certificate was ignored (i.e., user proceeds with an untrusted connection), this preference was remembered for all future warnings too. So when users accepted the risk to connect to a specific domain with an insecure certificate, they were also unwittingly accepting the risk to connect to all other sites with invalid certificates—without even seeing the warnings.
Normally, every HTTPS browser request checks for a valid certificate, so the researchers advised Intel to patch this vulnerability, which they quickly did. This is the type of security flaw cybercriminals get excited about, especially with mobile devices growing exponentially.
So how can you protect yourself and your organization? As an individual you can stop ignoring these certificate browser warnings and manually type the URL of the site you want to visit into a new address bar when you see one. That would reduce the likelihood of connecting to a spoofed website and succumbing to a MITM attack that can steal your personal information, financial data, and even passwords.
For their part, enterprises need to bring all of their certificates under centralized management for better visibility, lifecycle management, and policy enforcement. This can help ensure the services they provide are always backed by valid certificates, which will help eliminate certificate warnings when visiting their “secure” domains. Not only can certificate security warnings be embarrassing for the enterprise, they can also result in a loss of trust and subsequent business from customers and partners who believe their communications are inadequately protected.
Not only are smart organizations educating their employees to avoid carelessly clicking through certificate warnings, they’re also taking responsibility and getting full control of the thousands of certificates across their IT environments. Doing so provides full visibility and protection for all their certificates, so they know when anomalies exist and can fix them quickly and automatically. Knowing their entire encryption environment is under complete control instills enormous confidence in both the organization and its customers.
There’s nothing worse than discovering what you were sure was protected actually isn’t. How confident are you that your customers won’t see a browser warning when they visit your website?
Lorem ipsum dolor sit amet, consectetur elit.
Thank you for subscription
Scroll to the bottom to accept
VENAFI CLOUD SERVICE
*** IMPORTANT ***
PLEASE READ CAREFULLY BEFORE CONTINUING WITH REGISTRATION AND/OR ACTIVATION OF THE VENAFI CLOUD SERVICE (“SERVICE”).
This is a legal agreement between the end user (“You”) and Venafi, Inc. ("Venafi" or “our”). BY ACCEPTING THIS AGREEMENT, EITHER BY CLICKING A BOX INDICATING YOUR ACCEPTANCE AND/OR ACTIVATING AND USING THE VENAFI CLOUD SERVICE FOR WHICH YOU HAVE REGISTERED, YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS "YOU" OR "YOUR" SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS AGREEMENT AND MAY NOT USE THE SERVICE.
You shall not access the Service if You are Our competitor or if you are acting as a representative or agent of a competitor, except with Our prior written consent. In addition, You shall not access the Service for purposes of monitoring its availability, performance or functionality, or for any other benchmarking or competitive purposes, and you shall not perform security vulnerability assessments or penetration tests without the express written consent of Venafi.
This Agreement was last updated on April 12, 2017. It is effective between You and Venafi as of the date of Your accepting this Agreement.
The Venafi Cloud Service includes two separate services that are operated by Venafi as software as a service, each of which is separately licensed pursuant to the terms and conditions of this Agreement and each of which is considered a Service under this Agreement: the Venafi Cloud Risk Assessment Service or the Venafi Cloud for DevOps Service. Your right to use either Service is dependent on the Service for which You have registered with Venafi to use.
This License is effective until terminated as set forth herein or the License Term expires and is not otherwise renewed by the parties. Venafi may terminate this Agreement and/or the License at any time with or without written notice to You if You fail to comply with any term or condition of this Agreement or if Venafi ceases to make the Service available to end users. You may terminate this Agreement at any time on written notice to Venafi. Upon any termination or expiration of this Agreement or the License, You agree to cease all use of the Service if the License is not otherwise renewed or reinstated. Upon termination, Venafi may also enforce any rights provided by law. The provisions of this Agreement that protect the proprietary rights of Venafi will continue in force after termination.
This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Utah, excluding (a) its conflicts of laws principles; (b) the United Nations Convention on Contracts for the International Sale of Goods; (c) the 1974 Convention on the Limitation Period in the International Sale of Goods; and (d) the Protocol amending the 1974 Convention, done at Vienna April 11, 1980.
In the meantime, please explore more of our solutions
In the meantime, please explore more of our solutions
This site uses cookies to offer you a better experience. If you do not want us to use cookies, please update your browser settings accordingly. Find out more on how we use cookies.