⇤ How is the Diligence Risk Category Calculated?
For the TLS/SSL Certificates risk vector, we look at a variety of criteria when determining the effectiveness of TLS/SSL certificates and their implementation. Companies should have up-to-date certificates with any domains interacting with sensitive data.
Impact
Concept | Behavior |
---|---|
A default risk vector grade is assigned. |
This is set in the center of the grading scale for computing into Bitsight Security Ratings. Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 60 Days |
Percentage (out of 70.5% in Diligence): 10% |
Finding Grading
Certificates that need to be replaced are graded based on their supported status. TLS/SSL Certificate findings are evaluated as GOOD, FAIR, WARN, or BAD. Not all attributes are weighted evenly; some messages may be more serious and affect the overall grade more than other, similarly graded messages.
- To be graded as GOOD, a certificate must adhere to industry-standard practices.
- FAIR findings for this risk vector have a negative impact on the rating.
- Certificates that have a validity period of more than 398 days are graded as WARN. Check the validity period of certificates and make sure they have lifetimes of 398 days or less.
Example: Apple, Google, and Mozilla no longer trust certificates that were issued on or after September 1, 2020 and have a validity duration greater than 398 days.
See finding messages.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- December 12, 2023: Linked to no findings definition.
- December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section.
Feedback
0 comments
Please sign in to leave a comment.