We often talk to customers and the rest of the world about SSL/TLS certificates and how important they are. At Remme, we live and breathe digital certificates, their care and protection. But we know it can be hard to make certificates a real concern for others. Then, we realized, right in our hands, we had the ability to help more people understand certificates – and so do you...
We used Keyhub to shine a light on the state of PKI certificates management in different industries. Our first subject was the retail sector, where we looked at the top fifty most visited websites, one at a time, and came away with some interesting insight. Not only are things just as worrisome as we feared – often they are worse, with some companies having close to 20 percent of their certificates expired or invalid!
This is potentially bad news for them and for their customers. Like the chain that is only as strong as its weakest link, bad certificates can put a lot of other investments at risk.
For companies of all sizes, the public key infrastructure (PKI) is vital to all online activities. PKI is the key to data protection, identity confirmation, online payment systems, trust, and even getting “found,” since leading search engines favor sites with properly configured and maintained PKI. The gaps in PKI left by those expired or invalid certificates can’t be wished away. You might not “see” them in the course of your day-to-day activities but to those looking, including bad actors hoping to exploit your site, they are obvious.
What’s the problem, exactly?
The bottom line is that bad certificates have been implicated in many of the worst corporate hacks. Beyond that, bad or missing certificates can impact performance or cause glitches that can quickly drive away customers and create extra work for staff already struggling to keep up with the daily routine.
According to a study released early this year by ResearchandMarkets.com, the retail industry was valued at USD 23,460 billion in 2017 and is expected to register a CAGR of 5.3% during the forecast period (2018-2023), to reach USD 31,880.8 billion by 2023. While the largest retailers represent the lion’s share of this sector – and each of those giants can have hundreds of sub-domains and often hundreds of certificates – certificate management is an issue for all. While smaller retailers might not be as much of a tempting target, they often have a less robust IT staff and may not grasp all the best PKI certificate management practices.
According to the most recent Verizon Data Breach Investigation Report, 2018 saw 234 incidents in the retail sector, 139 with confirmed data disclosure. Similarly, in recent weeks, even giant Walmart has suffered embarrassing service interruptions that brought both online and “brick and mortar” sales to a standstill.
Consider what’s at risk in terms of cybersecurity or potential lost sales for all of these businesses, large and small, when SSL/TLS certificates aren’t doing their job.
The top 50: overview
With the help of Keyhub we’ve examined public domains of top 50 websites in retail with over 7,000 affiliated subdomains. Here is what we’ve found.
- 1122 SSL/TLS certificates discovered
- 91 CAs
- 22 SHA1 certificates
- 6 with weak keys
- 125 SSL/TLS certificates expired
- 16 close to expiration certificates
As is well known, the legacy SHA1 type is no longer considered adequate technology. In fact, Microsoft announced a decision to deprecate the use of SHA1 and to replace it by SHA256. That means Microsoft products no longer recognize SHA1 and its use will lead to security alerts.
While most organizations used relatively few hosts – ranging from the single to the low double digits – one company used more than 1000 hosts! Similarly, while the majority of keys discovered with Keyhub were RSA 2048, several were RSA 1024 and a few ECC256.
Meanwhile, the bulk of the signature hash algorithms in use as revealed by Keyhub were SHA256RSA, but several others were also encountered. Of course, the strength of the hash algorithm used to sign a digital certificate makes all the difference. A weakness in a hash algorithm can allow attackers to get fraudulent certificates and harm your PKI.
The Top 8: Digging into the subdomains
When it comes to the top eight retailer websites – all of them representing well-known global brands – the story was no different. For example, one large brick-and-mortar and online retailer, with more than 800 subdomains had more than 200 total certificates of which nearly 5 percent were invalid. Similarly, a global clothing retailer had 17 percent of its 30 certificates that were invalid. The top eight retailers averaged 726 subdomains each, which clearly highlights the importance of deep scans and detecting all certificates since they can be easily overlooked when there are so many to manage.
As we are fond of reminding our friends, customers, and future customers, that all the problems revealed by Keyhub in our study of the retail sector are easy to solve: automation. SSL certificate management tools, especially ours, can automate the record keeping associated with acquiring and maintaining certificates. Automation can discover and identify certificates associated with your domains and subdomains (often certificates that the organization has forgotten about!). And weak, expired, and missing certificates can be eliminated – improving PKI efficiency and boosting security.
Needless to say, we wish the best for all these companies but we sincerely hope they will take the same look that we did and then take the right steps to protect their PKIs with effective SSL/TLS certificate management tools.
Create your free Keyhub account to discover SSL/TLS certificates in less than 5 minutes!