How is the TLS/SSL Certificates Risk Vector Observed?

TLS/SSL Certificates data is collected by establishing a TLS connection between an asset and a hostname or IP address.

• When a scan begins with a hostname, a TLS handshake is performed with the Server Name Indication (SNI) field set to the hostname. This allows the server to know which certificate to present to the connecting client.
• When a scan begins without a hostname, the TLS connection is established with an IP address. There is no way to provide a hostname in the SNI field of the TLS handshake so the collected certificate is subject to all of the assessments performed by our algorithm (graded negatively). See recommendations.
• Some services in their default configuration present an automatically-generated, self-signed certificate.

  Examples: Kubernetes Ingress and Traefik Proxy.

A unique finding is generated for each asset/certificate combination. Certificates can be applied to multiple assets and findings are generated based on each unique access point so the asset could be identified by:

• Domain name
• IP:port combination
• Both (domain name and IP:port)