Digital certificates are at heart of every web company, from SMEs to sprawling enterprises. Effective SSL/TLS certificate management is essential for company websites and networks to remain operational, and to prevent security lapses that can let attackers in.
To demonstrate the severity of the problem, we used Keyhub to scan the websites of Australia’s 30 largest financial companies. Keyhub is a cloud-based platform to automatically discover, organize, and manage SSL/TLS certificates. Using its SSL/TLS certificate discovery tool, we checked the certificate status of Australia’s leading financial services providers. What we found should concern not only the companies profiled, but all online businesses. If these issues can beset some of the world’s wealthiest and most influential companies, they can happen to any business.
How the PKI management of 30 banking firms stacks up
Using Keyhub Analytics tool, we analyzed the websites and subdomains of Australia’s top 30 financial companies, based on Alexa ranking. In total, we inspected 837 certificates from over 2531 affiliated subdomains. 47 of these had already expired, while another 13 were due to expire in the next week. The vast majority of the certificates we examined were signed using the SHA256 hash algorithm, but there were a few outliers. We found one top 30 Australian fintech using SHA1, which Microsoft has deemed insecure and deprecated.
We have anonymized the companies featured in the discovery scan we undertook using Keyhub, to protect those that were vulnerable, but can disclose the following findings:
- For the top eight companies, we scanned 1,239 subdomains and found 346 digital certificates.
- Between them, these companies had 21 expired SSL/TLS certificates.
- This means 6% of all certificates analyzed for the top eight companies were expired.
- One of Australia’s top three financial companies was responsible for 10 expired certificates.
- One company in the top 30 had no valid certificates and as a result their website would not load.
While these results were concerning, there was some positive news to emerge from the discovery scan we undertook: all of the top eight companies were using strong keys, secured by RSA 2048 and utilizing the SHA256 signature hash algorithm.
Automated SSL/TLS certificate management matters
It takes only a single lapsed certificate to throw an enterprise’s website offline and present an opportunity for hackers to harm your PKI. With the price of failure being so high, allowing SSL/TLS certificates to expire due to human error is unforgivable.
To protect their PKI and preserve the security of their subdomains, we urge all businesses to utilize dedicated SSL/TLS certificate management tool that can automate the process, ensuring that expired certificates become a thing of the past. Properly managed PKI and certificates is one of the most practical measures enterprises can take to secure their networks.