Part of any IT Security policy is to ensure that as far as possible, websites are genuine. Sometimes you are presented with a message saying a site has failed a security check because it’s SSL Certificate has expired.
First off, lets define what an SSL Certificate actually is and how it works.
SSL Certificates are an essential part of Internet security. They are used to protect the data travelling between the user and the website by setting up an encrypted connection. When installed on a web server, they activate the padlock shown in the browser, enable the https:// style of connection and confirm the authenticity of the website.
SSL Certificates establish the authenticity of a domain name, server name or hostname. In addition, they hold details of the organisation holding the certificate, name and location for example.
The process is that the user and the website carry out a handshake, during which the browser verifies the data held in the certificate. If successful, the two parties to the connection agree on a key pair to be used in data encryption and the session starts.
This prevents vital information such as financial information, logon details and other confidential data being intercepted or stolen by a third party.
SSL Certificates are administered by an industry forum, the Certificate Authority/Browser Forum. The CAB forum acts as the regulatory body for the SSL/TLS industry. SSL Certificates are actually issued by trusted Certificate Authorities. Lists of trusted CA root certificates and are held on end-user equipment in browsers and operating systems.
The root certificate is used to establish trust between the end-user and the website.
Certificates have a maximum lifespan of 24 months after which they must be renewed. If you apply for renewal during the lifetime of the certificate you get an additional three months, making the actual lifespan 27 months.
How they work
When you go to a https:// website, part of the connection process is that your browser and the site exchange information, including certificate information. If the browser decides that the certification information is invalid because the expiry date has passed, it won’t proceed to connect to the site and gives you a warning message.
Most users won’t proceed onto the website after seeing the warning, although most browsers do allow it. As a result, an expired SSL certificate is bad news for site owners.
What Happens When they Expire
The answer to that question is very simple. Your site becomes inaccessible and in effect you become invisible online. A catastrophe for online retailers.
If it does happen to you, are not alone. It happened to the US Government. Affected sites included NASA, and the Department of Justice. Users of some European cell phone networks lost access to services in December 2018 because of certificate expiry on Ericsson servers hosting cell network management software.
Other organisations like LinkedIn and Time Warner have joined the club. One prominent and embarrassing incident involved the UK Conservative party. Shortly after the then Home Secretary and the then Prime Minister criticised the use of encryption in IT systems, while demonstrating a complete ignorance of why encryption is necessary, the Conservative Party website went down because of an expired SSL Certificate.
How to Stop it Happening
It is an absolute no-brainer to state that SSL Certificates must not expire. Not so much of a problem in an organisation with only a few websites to manage. For an organisation like LinkedIn, with several thousand, this is not a trivial management issue.
Time Warner were heard to say an appropriate response is to disable SSL in your browser settings. This is so wrong on so many levels. Why should users imperil their own online safety because one organisation has made a mistake.
The answer is automation, and fortunately there is a solution available, the ACME protocol. It works by first installing a client on a server. The client acts as an agent for the websites hosted on the server, contacting Certificate Authorities regularly to replace and renew SSL certificates. Most major certificate authorities, including DigiCert now support ACME. There are other options as well.
It can be done manually, but it is quite labour intensive to keep the proper communications channels with the Certificate Authority updated. if you don’t keep up to date, expiration will happen. Also, if you do it manually, you need to keep a very strong eye on who can renew and create SSL Certificates. It is potentially a big hole in your corporate security.
Overall, management of SSL certificates is an unglamorous but essential activity in IT management. Expired certificates can make an organisations web presence completely invisible.