Your SSL Certificate is Expiring Soon(er)
September 01, 2020
Cyber Security | Man-in-the-Middle ssl certificate
When does an SSL certificate expire? If you go by Murphy's law, the answer is that it expires on a day that your website administrator is on vacation. Leading clients, partners, and employees to all simultaneously complain (and for good reason). The warning messages that they receive in their browser are disconcerting, and speak of dangerous risks ahead.
Hopefully we haven't brought back any bad (real) memories there -- hopefully your SSL certificate maintenance processes are well-defined, leading to orderly certificate issuances and installations, without any last minute panic or surprises. Still, let's talk about how SSL processes are now changing, in a way that you need to be aware of, and that you need to incorporate into your processes.
First, though, a quick SSL primer for anyone that needs it.
An SSL Story: Alice, Mallory, and Example.com
Cybersecurity folks have a quirky tradition of using a set of first names (a cast of characters) when they are telling a story. If you guessed that most stories told by cybersecurity researchers aren't headed to the New York Times Best Sellers List, you guessed correctly. A cybersecurity story, for example, might go like this:
- Alice walks into a coffee shop that has an unsecured/public wi-fi network
- Mallory is also in the coffee shop, and has specialized software to monitor Wi-Fi traffic
- Alice browses to http://example.com
- Mallory sees that Alice browsed to example.com, and sees every bit of information that is exchanged between Alice and example.com (hopefully nothing too sensitive)
This particular story is about the simplest cybersecurity story that illustrates why SSL is needed. Let's retell the story with SSL in the picture:
- Alice walks into a coffee shop that has an unsecured/public wi-fi network
- Mallory is also in the coffee shop, and has specialized software to monitor Wi-Fi traffic
- Alice browses to https://example.com (note the use of https instead of http)
- Mallory fails to see the content of the communications between Alice and Example.com, because the data is encrypted.
Hopefully that makes a lot of sense: SSL protects website traffic in a way that benefits all involved.
SSL Certificates & Expirations
The premise of how SSL works, is based on the existence of certificates. Simplifying (we can get into greater detail in a future post), we should all want websites to hold "certificates" that validate that they are who they say they are. Yes, you want all of your favorite websites to have their own unique certificates: your bank, your webmail provider, your school, your favorite online store, etc. And, we should all want it to be incredibly simple for us to verify that their certificates are valid and unexpired. Like this one:
Why have a concept of SSL certificates expiring on a particular date? There are many reasons, but perhaps the simplest is that if a malicious person (perhaps named "Mallory") somehow got their hands on your bank's SSL certificate, you would most definitely not want that stolen certificate to be in circulation forever. Expiry helps to avoid that (and, don't sweat it, there are also a number of other controls besides expiry that usually keep Mallory from getting too far with their evil scheme). Expiry is an important part of the intricate system surrounding SSL, that adds a valuable layer of protection.
SSL Certificate Expiry: What's New
SSL certificates have long been subject to expiry, but recently a number of significant companies have decided that they would like to encourage SSL certificates to have shorter lifecycles. Until recently, it was widely accepted that SSL certificates could be issued with expiry dates as generous as 825 days. Starting on September 1, 2020, though, expect that you'll see companies abide by a much stricter standard: expiry of no more than 398 days.
Although that leads to slightly more work for some of our most technical friends involved in website maintenance and infrastructure-as-a-service, it's generally a wonderful thing to be able to have a shorter time limit on how long a malicious attacker could cause mischief with a stolen certificate.
The New Threat Frontier
Even with this additional protection in place, though, there is ample room for cyber criminals to take advantage of how companies rely on SSL. A specific trend that we're monitoring closely, are attackers that go directly to an SSL certificate issuer, claiming to be a valid representative of your company, and attempt to get the issuer to directly give them (the attacker) a fresh/valid certificate that should only ever have been in your hands.
This emerging threat needs attention. One thing we do at Havoc Shield is to monitor new SSL certificate issuances and alert our clients. When our clients get an alert that a certificate is issued, they almost always know it to be legitimate -- a certificate genuinely issued at their request. But, on the rare day that the SSL certificate was not requested by our client, they have a terrific headstart on sorting out what trouble the attacker is trying to create, and taking steps to head off any damage. Drop us a line anytime if you'd like to learn more about how we monitor SSL certificate issuances, we're glad to help.