svetazi - stock.adobe.com
Lapse in LinkedIn security certificate update
A lapse in the update of LinkedIn’s security certificate has once again underlined the importance of keeping track to avoid disruptions and phishing attacks, and how even big players are failing to get it right
For the second time in three years, Microsoft-owned professional networking site LinkedIn has failed to update a transport layer security (TLS) certificate, putting users at risk of phishing attacks.
LinkedIn users were alerted to the lapse when some browsers displayed warnings because the TLS certificate expired on the URL shortener lnkd[.]in, said Carl Leonard, principal security analyst at Forcepoint.
It appears that LinkedIn had renewed the certificate on 10 May, according to Qualys, but not updated the server accordingly, resulting in the browser errors.
In a statement, LinkedIn said there had been a “brief delay” in its certificate update, and that the issue had been resolved quickly and no user data was affected.
The potential business impact of expired certificates was illustrated in December 2018, when a day-long outage of O2’s 4G network was caused by an expired certificate at supplier, Ericsson.
Gartner estimates the average firm loses $5,600 a minute when hit by an unexpected outage in addition to the negative customer experience, which was cited as the top concern by 50% of firms polled.
According to a recent survey by security firm Venafi, outages have become an executive issue with more than a quarter (27%) of more than 550 CIOs polled in the UK, US, France, Germany and Australia admitting they were worried about having to explain why an outage had occurred to the board of the company.
The vast majority (85%) said that the growing complexity of IT systems makes outages even more likely in future, with 60% admitting certificate-related outages that affected critical business applications or services in the past year, and 74% saying they faced similar events within the past two years.
More than half (55%) believe the number of certificates their organisation uses will increase by at least 50% over the next five years, creating more opportunities for unexpected outages to occur
“Certificates control communication and authentication between machines so it’s critically important not to let them expire unexpectedly,” said Kevin Bocek, vice-president of security strategy and threat intelligence at Venafi.
“Unfortunately, most organisations don’t even have a clear understanding of how many certificates are in use or which devices are using them, and, as a result, they don’t have a clear idea of when they will expire.
“This lack of comprehensive visibility and intelligence routinely leads to certificate-related outages, so this is not a unique occurrence. Ultimately, companies must get control of all of their certificates; otherwise, it’s only a matter of time until one expires unexpectedly and causes a debilitating outage.”
These outages are avoidable through automated certificate lifecycle management, said Tim Callan, web security expert and senior fellow at certificate authority Sectigo.
“An automated system can monitor certificate status, provide visibility on which certificates are deployed, and automatically renew them when the time comes,” he said.
In addition to automated lifecycle management, Callan said certificate discovery is critical to avoid unexpected expirations.
“In today’s complex and diversified IT culture, enterprises face the real risk of a developer group standing up critical services without coordinating their certificate deployment with central IT,” he said.
“These embedded groups often lack the disciplined PKI [public key infrastructure] practices that central IT may have developed over the years. As a result, critical systems may depend on unknown certificates, which can be ticking time bombs that could expire on any given day.
“Certificate discovery can scan the enterprise’s full network space, finding unknown certificates and bringing them under central IT’s management. In addition to avoiding surprise expirations, central IT will also be able to ensure all certificates meet external compliance requirements as well as internal certificate standards,” he said.
Read more about digital certificates
- IT pros can build trust into Windows 10 by adding certificates that form trusted connections by confirming the identity of any individuals or entities communicating with the OS.
- Researchers found the spread of Plead malware was aided by the use of stolen digital certificates, making the software appear legitimate and hiding the true nature of the attacks.
- Quantum computing threats are on the horizon, but DigiCert, Gemalto and ISARA have teamed up to develop new quantum-proof digital certificates and remake the PKI industry.