SSL Certificate Risks in the Multi-Cloud Datacenter
An SSL Certificate are used mostly in HTTPS communications to establish the identity of the remote server or domain and then create an encrypted channel to transmit and receive end-user sensitive data (that is, personally identifiable information, or PII), such as social security number, credit card data, phone number, home address or online payments. A certificate is a data file that digitally ties a cryptographic key to a server or domain and an organization’s name and location.
Digitally signed certificates are the foundation of the TLS (formerly SSL) protocol, most recently upgraded to a 1.3 version that, among other things, provides mechanisms for perfect forward secrecy. There are different types of SSL certificates that can be chosen from based on your need.
- A “single domain” certificate is used to serve a single internet domain without support for subdomains. For example, it can only serve “www.example.com”.
- “Multiple Domain” (SAN Certificates) are used to serve several domains and subdomains. A special field named Subject Alternative Name (SAN) can be added to support other domains or subdomains. For example, it can support “example.com”, subdomain “support.example.com” and totally different domain “www.helloworld.com”.
- “Wildcard” certificates can use a wildcard “*” to include all possible subdomains. For example, “*.example.com” could be used for a wide range of subdomains under “example.com”.
Certificate Validation Levels
A Domain Validation (DV) certificate is used to demonstrate that the domain’s administrators have the right to control the domain. Organization Validation (OV) is used demonstrate, in addition, the right to administratively manage the domain the organization exist. Finally, Extended Validation (EV) certification is provided after a standardized identity verification process to prove exclusive rights to use a domain, confirm its legal, operation and physical existence, and prove the entity has authorized the issuance of the certificate. Initially, browsers had visual signals indicating the presence of an EV certificate for a site, but Google and Mozilla have decided the will phase out visual indicators.
Certificate Misuse and the Certificate Revocation List
Certificate Revocation List (CRL)
A list containing digital certificates that are revoked by a certificate authority (CA) before the scheduled date of expiry is a Certificate Revocation List. The certificates that make it to this list are considered blacklisted and should no longer be used. These certificates may be revoked by a CA for many reasons, such as the certificate having been improperly issued, counterfeit, or no longer owned by the same entity. Or the private key or the issuing CA itself may have been compromised.
CRLs are distributed by a CA by way of CRL files that contain list of revoked certificates. The updates of these lists may happen as frequently as hourly. The failure of the CRL service could result in a denial of service (DoS) on any certificate operation that depends on the list.
During the time It takes for distribution of a new list, attackers can exploit the vulnerability of the stale CRL and impersonate a domain administrator or owner using a revoked certificate.
SSL Blacklisted Certificates (SSLBL)
SSL certificates that are known to be associated with malware and botnet such as command and control are part of the SSL blacklisted certificates. The list is continuously updated, as of this writing about 3000 entries exist in the list.
Consequences of Expired Certificates
Expired certificates either cause unplanned system outages or open a door through which hackers can enter your network, or both. In 2013, Microsoft Azure experienced a worldwide outage due to an expired certificate. As a result, this industry-leading cloud provider was down for hours and issued service credits. In 2014, tens of thousands of payment terminals used to process credit card payments in the U.S. stopped working because of an expired certificate.
An SSL/TLS session that uses an expired certificate should not be trusted. Accepting an expired certificate makes users vulnerable to man-in-the-middle (MITM) attacks. To remediate this issue, all expired certificates should be identified and removed from servers.
|1||Expired Certification||Unplanned outage, MITM attack, lost brand name.||Validate the certificates on every TLS connection||Low|
|2||CRL||Impersonation,||Recommended Solution Online Certificate Status Protocol||High|
|3||Blacklist||Malware, botnet, C2, ransomware||Regularly updated with SSLBL maintainer of blacklisted certificates||High|
|4||SNI misuse||IP Address||Alerts are triggered when found||Medium|