How is the TLS/SSL Certificates Risk Vector Assessed?

For the TLS/SSL Certificates risk vector, we look at a variety of criteria when determining the effectiveness of TLS/SSL certificates and their implementation. Companies should have up-to-date certificates with any domains interacting with sensitive data.

See how the Diligence risk category is calculated.

Impact

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data.

Default:

Behavior:

This is set in the center of the grading scale for computing into Bitsight Security Ratings.

Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data.

If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 340 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned.

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 60 Days

Weight

The TLS/SSL Certificates risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: 10%

Finding Grading

Certificates that need to be replaced are graded based on their supported status. TLS/SSL Certificate findings are evaluated as GOOD, FAIR, WARN, or BAD. Not all attributes are weighted evenly; some messages may be more serious and affect the overall grade more than other, similarly graded messages.

• To be graded as GOOD, a certificate must adhere to industry-standard practices.
• FAIR findings for this risk vector have a negative impact on the rating.

• Certificates that have a validity period of more than 398 days are graded as WARN. Check the validity period of certificates and make sure they have lifetimes of 398 days or less.

  Example: Apple, Google, and Mozilla no longer trust certificates that were issued on or after September 1, 2020 and have a validity duration greater than 398 days.

Once remediated, TLS/SSL Certificate findings no longer impact your rating. This can be achieved either by:

• Issuing a new certificate
• Taking the asset offline
• A combination of both.

This is reflected by the No: Remediated value for the Impacts Risk Vector Grade field.

Available in both regular scans and manual rescans requests.

Immediate rescan feedback for TLS/SSL Certificates is also available, speeding up the remediation cycle.

Frequently Asked Questions

Q: How does Bitsight identify and remediate SSL Certificate findings?

SSL Certificates can be attributed to an entity for two reasons:

• Observed in assets—the certificate was found installed on assets associated with the entity.
• Listed in certificate—the entity’s assets are explicitly listed within the certificate’s fields (e.g., Subject Alternative Name).

Q: When are TLS/SSL Findings Considered to be Remediated?

A finding is considered remediated when all assets where the certificate was seen are addressed:

• For Observed in assets, all affected assets belonging to the entity must either:
  • Be taken offline, or
  • No longer presenting the certificate.
• For Listed in certificate, all sources (including third-party assets) where the certificate appears. We provide a complete list of all sources where the certificate was observed. If any third-party asset remains unremediated and is preventing remediation of the finding, it can be identified in that list. They must either:
  • Be taken offline, or
  • No longer have the certificate installed.

See finding messages.