enterprise security

SecurityTrails Blog · Feb 11 · by Esteban Borges

Risks of Expired SSL Certificates

Reading time: 7 minutes

SSL certificates have become an integral part of today’s internet. Allowing the encryption of traffic between host and client has opened up multiple opportunities for services to be accessed from anywhere, further expanding the scope of possibilities the internet has to offer.

From financial to confidential work-related web applications, SSL certificates have made it possible to ensure your connection is safe and secure between you and the web application being accessed.

Using SSL certificates might not be the most important sign of security when using a web application, but with increasingly easier and cost-free implementation of SSL certificates via providers like LetsEncrypt, it becomes all the more important to ensure that your web applications are SSL-enabled as the whole internet pushes forward for a much more secure environment.

Using SSL certificates, however, is not without a catch. SSL certificates do not simply renew, they have to be re-issued once they expire. While this is often misunderstood and considered a flaw, it allows SSL certificates to stay secure by forcing the observance of newer standards when SSL certificates are re-generated. If SSL certificates were to simply renew, they would never be replaced with modern encryption standards—and that would lead to flawed SSL certificates.

How a browser displays expired SSL certificates

If your web application is using an expired SSL certificate, the web browser used to access it will display a large warning that your website is insecure and potentially dangerous. These warnings are often large enough to deter potential customers and users.

Let’s look at some of the most commonly used web browsers and see how they display warnings about expired SSL certificates.

Google Chrome

Google Chrome is one the most extensively used browsers out there. Its error page gives you a clear indicator if the website you’re trying to access has something wrong with it—and isn’t private:

"Connection is not private"

Firefox

Firefox displays a detailed yet eye-catching error message to let you know that the website being accessed isn’t going to be safe:

"warning of potential security risk ahead"

Microsoft Edge

Microsoft Edge is another Chromium-based browser with an alert/error page similar to Google Chrome’s, giving you a clear message that your connection isn’t private:

"Connection isn't private"

Internet Explorer

Finally, here’s a look at one of the oldest yet still frequently used web browsers, Internet Explorer. In the latest version of IE which ships with Windows 10, IE 11, you’ll get a clear indicator if something is wrong with the SSL certificate, and the site being accessed isn’t secure.

"This site is not secure"

Consequences of expired SSL certificates

While SSL certificates offer your users added security and peace of mind when accessing your web application, an expired SSL certificate can reverse all that and cause a lot of damage.

"Consequences of expired SSL certificates"

Reputational damage

Your web application’s reputation is one of its most important assets. For a new customer visiting your web application for the first time, being greeted with an expired SSL certificate warning won’t be the best thing for its reputation.

Sometimes, technically advanced users will manually verify the certificate and understand the certificate just expired, prompting them to ignore and/or add an exception for your web application, but new customers and non-technically advanced users may not understand this. They’re much more likely to view your web application as dangerous.

Word-of-mouth and social media-based reputation is another important aspect to consider. Potential customers often look toward multiple sources such as search engines, social media platforms and technical forums for feedback or information about your web application. And a user reporting your web application as having an expired SSL certificate, and being potentially dangerous, can have a bad impact on your web application’s reputation.

Financial loss

Financial loss is another important aspect to consider when dealing with expired SSL certificates, as it opens up an area of doubt in the user’s mind. A user isn’t likely to feel safe making purchases on your web application if the user’s web browser displays an insecure-website warning.

Users don’t usually return to web applications that give them a poor first impression. And an expired SSL certificate can do just that, giving them an everlasting perception of your web application as unsafe.

Increase in customer support activity

Expired SSL certificate warnings often create additional work for customer support departments as well. Users encountering such error messages will often contact support departments for help on getting around such issues.

Providing effective customer support in this area is highly dependent on the user environment in question. For example, the specificity of dealing with an operating system, web browser, etc., can add to your customer support team’s workload, while they’re already trying to keep customers happy as the expired SSL certificate issue is resolved.

Security dangers

Expired SSL certificates open up multiple attack vectors, including phishing attacks and data breaches, which can weaken your web application’s security.

Phishing attacks

If your web application has an expired or non-valid SSL certificate, it becomes impossible for a customer or user of your web application to verify the security of the connection to/from your website.

It also becomes difficult to verify whether another website is legitimate or not. For example, someone can create a clone of your website with an expired SSL or non-existent SSL certificate. If its URL is very similar to yours, a phishing website can trick users quite easily.

Man-in-the-middle attacks

SSL certificates help mitigate man-in-the-middle-attacks. Having a valid SSL certificate allows a visitor to verify the authenticity of a website, and with improvements like HSTS, provides further protection against man-in-the-middle attacks.

Having an expired SSL certificate, or none at all, makes it easy to launch a man-in-the-middle attack and hijack any requests made to the web application, allowing the attacker to intercept and steal all data sent to it.

Data breach

Without SSL certificates and the encryption they provide, sensitive areas of your attack surface are way more exposed to incoming attacks. This, combined with the above-mentioned attack vectors like phishing attacks, means that man-in-the-middle attacks, either combined or individually, could lead to potential data breaches or even a complete system breach.

How can you find and prevent expired SSL certificates?

With the number of domains and subdomains found even in small web applications, and with each domain and subdomain having its own SSL certificate and different expiry dates, extracting SSL data and keeping track of multiple SSL certificates manually simply isn’t possible.

There is, however, a solution. Using SurfaceBrowser™ helps you stay on top of all SSL certificates in use under your organization and any related alerts.

Let’s take a look at how to use this next-level security tool to find expired SSL certificates within an organization. In this example, we take a look at General Electric (ge.com):

As you can see, detecting all your expired, or almost expired SSL certificates becomes an easy task with SurfaceBrowser™. It literally takes seconds, and can be done from our friendly web-based interface.

Summary

Renewing and managing SSL certificates is as much a concern as setting them up. As search engines push to provide better rankings for SSL-secured websites and web browsers continue to display warnings on non-secure websites, tracking SSL certificates statuses across all your domains and subdomains becomes all the more important.

While this can be tricky to do manually, there are tools to help you scan your attack surface, which includes your SSL certificates as well. And with SurfaceBrowser™ it’s possible to scan your entire web application’s domain structure, which lists every single domain and subdomain along with their attached SSL certificates.

Managing your SSL certificates—and avoiding the risks that come with expired SSL certificates—has never been easier.


ESTEBAN BORGES

Esteban is a seasoned security researcher and cybersecurity specialist with over 15 years of experience. Since joining SecurityTrails in 2017 he’s been our go-to for technical server security and source intelligence info.