Digital certificates are at heart of every web company, from SMEs to sprawling enterprises. Effective certificate management is essential for company websites and networks to remain operational, and to prevent security lapses that can let attackers in.
To demonstrate the severity of the problem, we used Keyhub to scan the websites of Australia’s 30 largest financial companies. Keyhub is a cloud-based platform to automatically discover, organize, and track SSL/TLS certificates. Using its scanning capability, we checked the certificate status of Australia’s leading financial services providers. What we found should concern not only the companies profiled, but all online businesses. If these issues can beset some of the world’s wealthiest and most influential companies, they can happen to any business.
How the Cert Management of 30 Banking Firms Stacks Up
Using Keyhub, we analyzed the websites and subdomains of Australia’s top 30 financial companies, based on Alexa ranking. In total, we inspected 837 certificates from over 2531 affiliated subdomains. 47 of these had already expired, while another 13 were due to expire in the next week. The vast majority of the certificates we examined were signed using the SHA256 hash algorithm, but there were a few outliers. We found one top 30 Australian fintech using SHA1, which Microsoft has deemed insecure and deprecated.
We have anonymized the companies featured in the scan we undertook using Keyhub, to protect those that were vulnerable, but can disclose the following findings:
- For the top eight companies, we scanned 1,239 subdomains and found 346 digital certificates.
- Between them, these companies had 21 expired certificates.
- This means 6% of all certificates analyzed for the top eight companies were expired.
- One of Australia’s top three financial companies was responsible for 10 expired certs.
- One company in the top 30 had no valid certificates and as a result their website would not load.
While these results were concerning, there was some positive news to emerge from the scan we undertook: all of the top eight companies were using strong keys, secured by RSA 2048 and utilizing the SHA256 signature hash algorithm.
Automated certificate management matters
It takes only a single lapsed certificate to throw an enterprise’s website offline and present an opportunity for hackers to try and exploit. With the price of failure being so high, allowing certificates to expire due to human error is unforgivable.
To protect their PKI and preserve the security of their subdomains, we urge all businesses to utilize dedicated software that can automate the process, ensuring that expired certs become a thing of the past. Protecting digital identities and certificates is one of the most practical measures enterprises can take to secure their networks.