Cyber risk resources
[SSL/TLS] Can clients trust your site? Web certificates matter

[SSL/TLS] Can clients trust your site? Web certificates matter

Attackers can quickly determine how mature your organization's security program is by what you display to the world. If your certificates are valid, match the organization's name, and require the use of strong ciphers to encrypt traffic, it shows that you exercise prudence and good security management - something that's expected from top businesses!

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols used to provide secure communication over the internet. They are essential in protecting sensitive information, such as login credentials, credit card information, and other personal data, from being intercepted and misused by hackers and malicious actors. 

If your TLS/SSL settings are not upgraded or are vulnerable, your online communication is at risk. Attackers can exploit these vulnerabilities and compromise the security of the communication between the client and the server, leaving sensitive information exposed to potential attacks. These attacks can have serious consequences for both individuals and organizations.

What happens if I don’t upgrade my certificates?

To better understand the potential consequences of TLS/SSL vulnerabilities, here are some common attacks that can happen if you don't upgrade your TLS/SSL settings:

  1. Data theft: TLS/SSL vulnerabilities can be exploited by hackers to intercept sensitive information such as passwords, credit card details, or personal data. The stolen information can then be used to commit identity theft, financial fraud, or a wider cyber attack.
  2. Man-in-the-middle attacks: If exploitable using an intermediary, attackers can intercept and modify the data being transmitted between the client and the server. This can allow attackers to manipulate the communication in real-time. They can steal sensitive data or take unauthorized actions such as returning a malicious website to the user instead of the real one.
  3. Malware injection: If a server's TLS/SSL connection is compromised, an attacker could inject malware into the communication stream. This could infect the client with malware or ransomware or could allow the attacker to gain control of the server.
  4. Damage to reputation: If a business or organization suffers a data breach due to a TLS/SSL vulnerability, it can damage their reputation and erode trust among their customers. This can lead to lost revenue, decreased customer loyalty, and other negative consequences.

How do I know that I am using an outdated certificate?

Pair the findings from your IR-1 notice to the vulnerabilities listed below.

When you are looking to improve the security of your website, there are a few things to keep in mind. 

One common issue is a broken X.509 certificate chain. This can happen if the top of the certificate chain sent by the server is not recognized or self-signed, or if intermediate certificates are missing. If the certificate chain contains a signature that doesn't match the certificate's information, or if it can't be verified, this can also cause issues. To fix these problems, visit the following links for more information:

If your website has a broken certificate, modern browsers will identify it as "Not Secure," which can damage your company's reputation. It can also make it easier for hackers to carry out man-in-the-middle attacks, posing as your website to steal sensitive information from your users.

To avoid these issues, make sure your website is using matching and updated certificates for your domain. This shows good security management and is expected from top businesses. If you have sites that are not meant to be public, make sure you're using a self-signed certificate and protect them from public access with Site-to-Site VPN services.

It's also important to note that certificates that your organization issues and signs should only be added to trusted root certificates with the approval of your security team. By default, trusted root certificates are pre-configured by the device manufacturer and are limited to those with universal recognition (Comodo, Sectigo, Thawte, etc.) and provide authority to each certificate's CA (certificate authority) to establish secure connections from the client to the destination.

Another potential issue is weak MAC algorithms, such as MD5 or 96-bit. These are considered weak and should be disabled to ensure stronger encryption. The same goes for Cipher Block Chaining (CBC) encryption, which can allow attackers to recover plaintext messages from ciphertext. Make sure your SSH server is running strong encryption on the latest patch level, and consult your product documentation or vendor to disable weak algorithms and enable stronger ones like CTR or GCM cipher mode encryption.

For more information, check out this reference from Microsoft on Root Certificates:

In summary, what should you do to strengthen SSL/TLS?

To avoid these vulnerabilities and their consequences, here are some things you can do:

  • Use valid certificates from a trusted Certificate Authority (CA). Verify that your website's certificate is issued by a trusted CA and check the expiration date.
  • Keep your TLS/SSL protocols updated and configured correctly. This includes using the latest versions of TLS/SSL protocols and disabling vulnerable or outdated algorithms. To do this, you must:
    • Determine which certificate authority (CA) issued your current SSL/TLS certificate. This information should be available in your server's configuration files or through your hosting provider.
    • Obtain a new SSL/TLS certificate from the same CA or a different one. Make sure the new certificate is compatible with your server's software and operating system.
    • Install the new certificate on your server. The exact steps for installation may vary depending on your server software and operating system, but generally involve copying the certificate files to the appropriate directory and configuring your server to use the new certificate.
    • Test your SSL/TLS configuration to ensure that the new certificate is properly installed and working. Use online tools or command-line utilities to perform tests on your server's SSL/TLS connection.
    • Once you have verified that the new certificate is working, remove the old certificate from your server to avoid any potential conflicts or security vulnerabilities.
  • Be vigilant for suspicious activity. Monitor your network for signs of unusual or unauthorised access.
  • Train employees on safe browsing practices. Teach them how to recognize and avoid phishing emails, social engineering scams, and other cyber threats.

By following these practices and regularly monitoring your TLS/SSL settings, you can minimise the risk of data theft, attacks, and other security breaches.