SSL certificates are one of the most important tools for securing online infrastructure. They’re also one of the easiest to forget about. As long as they are doing their job, they tend to be left alone. And since the period between renewals can be a year or more, unless companies have a process in place to start renewal before it’s due, it’s quite likely that renewal will be neglected until after the certificates become invalid.
If certificates aren’t renewed in a timely fashion, the consequences for businesses can be dire. Services and sites may go down and users will receive scary security warnings. Certificates signed by Certificate Authorities validate the identity of the organization. Browsers know that they should trust certificates that are signed by CAs. When the certificate expires, browsers immediately stop trusting the site, and will warn users of a potential security threat — the browser cannot determine whether the user is sending data to a legitimate service or an attacker spoofing that service.
It isn’t something that happens only to small businesses without extensive IT departments. In 2013 Microsoft’s global Azure infrastructure was seriously degraded because of an expired SSL certificate. In 2014, Apple’s software update system was broken because the company failed to renew a certificate. Earlier this year, GMail’s SMTP service went down because the company forgot to renew. Instagram’s web application suffered a similar fate.
According to a recent study from Ponemon, SSL certificate expirations cost global companies an average of $15 million per year, with the potential for a further $25 million in compliance costs. Smaller businesses aren’t likely to face the same level of cost, but they are also less equipped to handle the consequences. Without deep pockets, a failure of SSL encryption can put a business in a very bad place.
Organizations with user-facing SSL encryption have the most to lose. If an eCommerce store’s SSL certificate expires, web browsers will display prominent warnings that the site is not secure. Consumers depend on online services’ ability to protect their private data, and browser security warnings send a message that can damage trust and tarnish the company’s reputation.
What can organizations do to mitigate the risks of expired SSL certificates?
The most important risk mitigation strategy is to have processes in place to ensure that someone is responsible for maintaining SSL certificate viability. Many certificate authorities will send warning emails as the expiration date approaches, but they’re worthless if there is no one who’s job it is to act on that information. Renewing a certificate is not a complex process, but it is essential that organizations have procedures in place to designate responsibility for renewals to specific individuals and notify those individuals when certificates are set to expire.
Image: Flickr/Dennis Wong