Transport Layer Security (TLS) provides security for internet communications. TLS is the successor to the now-deprecated Secure Sockets Layer (SSL), but it is common for TLS and SSL to be used as synonyms for the current cryptographic protocols that encrypt digital communications through public key infrastructure (PKI).
To ensure that websites offer this level of communications security, web administrators generate SSL certificates that use the Hypertext Transfer Protocol Secure (HTTPS) to authenticate communications between the client and the server.
To avoid vulnerabilities that result from security misconfiguration, keep your SSL certificates up-to-date and maintain a secure protection using the SSL protocol on your web server.
Common SSL Misconfiguration Findings
Without proper configuration for SSL/TLS certificates, traffic to the site may be at risk of interception by malicious actors. An untrusted or misconfigured SSL certificate puts communication at risk, whereas a revoked certificate could render the site inaccessible to most browsers. A secure connection to web applications in production environments requires application security features like SSL/TLS authentication.
UpGuard scans for common issues around certificate configuration so that UpGuard users remain notified of any risks that may impact their business, such as the following SSL security configuration risks:
- Hostname does not match SSL certificate
- SSL certificate chain missing from server response
- Revoked certificate in use
When you generate a certificate for your site, it will include the preferred hostname or domain for the system that is being protected with encryption. This inclusion provides the necessary information to verify the connection between the client and server. If the Hostname does not match SSL certificate, then users will receive a browser error. In addition to sites being rendered inaccessible by this finding, mismatched certificates allow the possibility for man-in-the-middle (MITM) attacks.
Each certificate belongs to a certificate chain that authenticates at multiple levels. Every certificate in the chain needs to be maintained accurately and remain up-to-date for the SSL validation to function as needed. The root certificate validates the certificate authority that issues the cert, with additional intermediate certificates dependent on the structure of your site structure. If you receive notice for the SSL certificate chain missing from server response finding, then a gap in your certificate chain will invalidate the entire chain.
Certificates may be revoked by the certificate authority prior to their expiry date, in which case you would receive notification for a Revoked certificate in use. Revoked certificates do not provide proper SSL/TLS protection, and domains with a revoked certificate will not feature HTTPS protection. Revocation typically occurs due to a compromised private key, a decommissioned domain, or malicious behaviors like phishing or malware that originate with the domain in question.
UpGuard also scans your assets for risks related to weak SSL, SSL certificate expiration, SSL/TLS availability, HTTPS redirection, and HTTPS Strict Transport Policy (HSTS).
How UpGuard Can Help
With continuous monitoring for your external attack surface, UpGuard BreachSight scans for threat signals and common issues around SSL/TLS certificates. Current UpGuard users with the BreachSight feature can log in and access their Risk Profile to search for SSL risks among their assets. If you're not a current UpGuard user and you want to run an automated scan of your assets with BreachSight, sign up for a trial. BreachSight provides automation for your security settings audit.
When you have identified an SSL configuration issue for your assets, you can set up security measures to remedy the issue so that users remain protected when accessing your website.
How to Resolve SSL Configuration Issues
Each of these configuration issues can be remedied by requesting a new SSL certificate from your certificate authority. Though the certificate authorities may require different information, the process typically follows these four steps:
- Generate a certificate signing request with your choice of certificate authority.
- Complete the domain control validation process.
- Activate the certificate and install it on your servers.
- Repeat the process for all certificates in your certificate chain.
As you submit a new certificate signing request for your updated SSL certificate, ensure that it has the appropriate parameters to mitigate the configuration finding and prevent misconfiguration attacks.
Update the Hostname
If your SSL finding relates to the hostname, request a new certificate with the correct hostname(s) listed on it. A properly scoped certificate will prevent browser errors and reduce certificate complexity. Review all existing certificates to ensure that each one has the proper hostname. As you update your SSL certificate renewal processes, include steps that account for any changes to hostnames or aliases.
Protect the Certificate Chain
Because the chain functions as a whole, every certificate in the chain must be valid for the end certificate facing the client server to be valid. If part of the chain is missing or invalid, then users will encounter browser errors. To remedy this finding, configure your server so the entire certificate chain is available on the system while protecting sensitive information in the root certificate, which will ensure there are no gaps between the end certificate and the root authority.
Fix SSL Certificate Revocation
If an SSL certificate is revoked, the TLS encryption is canceled and HTTPS will not be available for the website. Revocation typically occurs only if the certificate was wrongfully issued, the certificate owner violated the terms of the certificate, or the certificate authority identifies malicious behaviors like phishing that stem from the domain.
However, if your SSL certificate is revoked, it needs to be replaced with a new certificate from a valid certificate authority as quickly as possible to ensure continuity for protected data transfer between affected servers and their clients. Continuous monitoring with UpGuard BreachSight can help you ensure that no revoked certificates are in use among your assets.
Strengthen the Security Configuration
In addition to the misconfiguration findings detailed in this post, you can protect against attack vectors resulting from default configurations and unnecessary features. Upgrade weaknesses in your algorithms and cipher suites in alignment with the Open Worldwide Application Security Project (OWASP) guidance. Strong security controls, like forward secrecy in your cipher suite, ensure that sensitive data remains encrypted against brute force attacks or unauthorized access. Change the default settings and avoid default passwords so that hackers cannot gain access to your application stack or escalate permissions within your application server.
