- November 29, 2023: Remediation and finding behavior recommendations.
- November 10, 2023: Linked to finding messages.
- August 16, 2023: New Grading & Finding Behavior sections.
The TLS/SSL Certificates risk vector evaluates the strength and effectiveness of the cryptographic keys within TLS and SSL certificates, which are used to encrypt internet traffic. Certificates are responsible for verifying the authenticity of company servers to associates, clients, and guests, and also serves as the basis for establishing cryptographic trust.
When communications are not properly secured or encrypted, traffic sent to the host are unencrypted. Personal customer or employee information, including passwords, can become publicly visible to observers and may lead to data breaches.
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data. This is set in the center of the grading scale for computing into Bitsight Security Ratings.
If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.
(Out of 70.5% in Diligence)
The most common issues with TLS/SSL certificates stem from:
- A lack of appropriate signatures (no root or leaf certificate in chain, self-signed certificate, expired certificate).
- The enablement of insecure ciphers.
- Use the Certificate Key Evidence field to identify the asset and then refer to the Remediation Instructions provided in the Finding Details.
- Review TLS/SSL Certificate findings. See all finding messages.
- Implement effective TLS/SSL certificates.
- Obtain valid and up-to-date TLS certificates from a certificate authority.
- Select a stronger signature algorithm (like SHA-256).
Automated: 60 Days
User-Requested: 3 Days
A new finding is created and the old one needs to complete its lifetime.
Findings with a certificate serial number identical to the previous record are considered to be the same finding. If the serial number is new, the previous finding will have an Asset Not Reached refresh status.