The TLS/SSL Certificates risk vector evaluates the strength and effectiveness of the cryptographic keys within TLS and SSL certificates, which are used to encrypt internet traffic. Certificates are responsible for verifying the authenticity of company servers to associates, clients, and guests, and also serves as the basis for establishing cryptographic trust.
Risks
When communications are not properly secured or encrypted, traffic sent to the host are unencrypted. Personal customer or employee information, including passwords, can become publicly visible to observers and may lead to data breaches.
Grading
See how the TLS/SSL Certificates risk vector is graded.
Concept | Behavior |
---|---|
Duration: 60 Days |
|
This is set in the center of the grading scale for computing into Bitsight Security Ratings. Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
|
Percentage (out of 70.5% in Diligence): 10% |
Remediation
The most common issues with TLS/SSL certificates stem from:
- A lack of appropriate signatures (no root or leaf certificate in chain, self-signed certificate, expired certificate).
- The enablement of insecure ciphers.
Resources
Recommendations
- Use the Certificate Key Evidence field to identify the asset and then refer to the Remediation Instructions provided in the Finding Details.
- Review TLS/SSL Certificate findings. See all finding messages.
- Implement effective TLS/SSL certificates.
- Obtain valid and up-to-date TLS certificates from a certificate authority.
- Select a stronger signature algorithm (like SHA-256).
Finding Behavior
See:
Concept | Behavior |
---|---|
The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated. |
Automated Scan Duration: 60 Days User-Requested Refresh Duration: 3 Days |
Remediated |
A new finding is created and the old one needs to complete its lifetime.
Findings with a certificate serial number identical to the previous record are considered to be the same finding. If the serial number is new, the previous finding’s refresh status is marked as Asset Not Reached. |
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- November 29, 2023: Remediation and finding behavior recommendations.
- November 10, 2023: Linked to finding messages.
Feedback
0 comments
Please sign in to leave a comment.