Latest Threat Research: Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks

Get Informed


Secure Your Site(s): Avoid SSL/TLS Certificate Expiration

Not too many years ago, a few websites began adding an extra layer of security in the form of Secure Sockets Layer (SSL) certification. Today, most legitimate business sites are sure to have SSL certificates installed. Many of the SSL certificates installed and available today are actually Transport Layer Security (TLS) certificates, although they are still referred to as SSL.

SSL/TLS certificates use complex algorithms to encrypt data allowing for secure transfer of information in the likes of payment information, bank details, login credentials, and other forms of personally identifiable information (PII).

Why is it Important to Use SSL/TLS Certificates?

For hobbyists, enthusiasts, budding creators, and other non-business entities, SSL/TLS certificates may be an extra cost that they see as unnecessary. For businesses, especially those that require users to login, offer shopping cart/payment services, or entry of personal details, the added level of security is a necessity. Even for those aforementioned hobbyists, even if they do not require any sort of login, signup, etc., the addition of SSL/TLS to their websites is not without merit.

Secure Data Transfer: As stated earlier, SSL/TLS certificates make use of encryption technology to protect sensitive data. Organizations of all sizes are required to protect PII and other sensitive data. Failure to protect the data can lead to fines and regulatory issues. Beyond helping protect clients’ data for the business’s own protection, organizations that invest in SSL/TLS certificates are doing right by their clients; who wants to be responsible for exposing credit card, Social Security number, address, or other PII to nefarious individuals?

Brand Protection: Going the extra step to provide secure data transfer by investing in SSL/TLS certificates sends a strong signal to people in these very cyber-aware times. It is very easy for people to see whether the site has SSL/TLS enabled. In fact, based on some users’ settings, without it, they may be unable to reach your site—a down site is never good for a brand, and security warnings popping up may make people think twice about doing business with a company.

Site Trust: Search engines like Google and Bing have actually worked site trust into their ranking algorithms. While search algorithms are always changing, site trust has become an important score. Sites that have SSL/TLS certificates have a higher trust score and are more likely to appear higher in the search results. Beyond that, web browsers provide information regarding whether a site is safe or not.

Chrome Browser shows a padlock icon before a URL in the address bar to indicate the site has a valid SSL/TLS certificate. This is further reinforced with the https:// precursor—https stands for hypertext transfer protocol secure versus the http, which is the same sans secure.

secure website

Chrome will literally spell out that a site is “not secure” if the SSL certificate is not properly installed and attributed.

insecure website

SSL/TLS Certificate Renewal

The renewal of these certificates is required at least once every two years. Failure to renew security certificates could pose a major risk to not only the business that uses the site, but the consumer / end user as well. Many times, businesses fail to take the renewal of the certificate seriously but what they do not realize is that it acts as the means of authenticating the server. If a customer visits a site with a valid SSL certificate, they are able to verify the identity of the sever they are attempting to connect to, assuring them they can enter sensitive information with less worry. If renewal is not completed, it makes it very easy for the site to be spoofed, leaving all the sensitive information that is input at risk.

As shown above, browsers will provide alerts that let a user know that the site is unsecure. It is common, however, for users to bypass the warning and still enter the site. This is still a bad look for the company–especially if a user is knowledgeable on the situation because it makes a company appear like they do not care about security.

Whichever service a business uses to get their certificates from will provide alerts to them as long as 90 days away from the expiration date. The easiest way to not forget is to renew as soon as the first alert arrives. Many web devs even set their own calendar reminders several weeks or months ahead of SSL/TLS certificate renewal in the event the email alert from the company providing the certificate is overlooked, ends up in a spam or junk folder, or is not sent for some reason. It is also important to be sure if an admin leaves the company or moves to a different position/changes their email that the admin email on the certificate is updated.

There are services that will test the certificate’s expiration, validity, and its configuration. In order for a company to be worry-free in regard to certificate expiration, services like these should be used. Mistakes happen, so it is not uncommon for certificates to expire as we have seen with major entities like LinkedIn and even the Federal Government. If this does happen, the best thing to do is contact the company that provided the certificate immediately and renew so users may continue to operate securely and the public image of the company is not damaged.