TLS/SSL Certificates Risk Vector – Bitsight Knowledge Base

TLS/SSL Certificates is a Diligence risk vector. It evaluates the strength and effectiveness of the cryptographic keys within TLS and SSL certificates, which are used to encrypt internet traffic. Certificates are responsible for verifying the authenticity of company servers to associates, clients, and guests, and also serves as the basis for establishing cryptographic trust.

See data collection methods.

Risks

When communications are not properly secured or encrypted, traffic sent to the host are unencrypted. Personal customer or employee information, including passwords, can become publicly visible to observers and may lead to data breaches.

Grading

See how the TLS/SSL Certificates risk vector is graded.

Concept

Behavior

Lifetime

Duration: 60 Days

Insufficient Data

This is set in the center of the grading scale for computing into Bitsight Security Ratings.

Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data.

❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.

Weight

Percentage (out of 70.5% in Diligence): 10%

Remediation

The most common issues with TLS/SSL certificates stem from:

A lack of appropriate signatures (no root or leaf certificate in chain, self-signed certificate, expired certificate).
The enablement of insecure ciphers.

Resources

Recommendations

Use the Certificate Key Evidence field to identify the asset and then refer to the Remediation Instructions provided in the Finding Details.
Review TLS/SSL Certificate findings. See all finding messages.
Implement effective TLS/SSL certificates.
Obtain valid and up-to-date TLS certificates from a certificate authority.
Select a stronger signature algorithm (like SHA-256).

Finding Behavior

See:

Concept

Behavior

Rescan

The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan Duration: 60 Days

User-Requested Rescan Duration: 3 Days

Remediated

A new finding is created and the old one needs to complete its lifetime.

New findings: Immediately impacts the grade and is assigned its lifetime.
Remediated findings:
- Newest finding: Improves the grade and impacts the grade for 60 days, as it completes its lifetime.
- Previous finding: Continues to impact the grade for its remaining lifetime (up to 60 days).

Findings with a certificate serial number identical to the previous record are considered to be the same finding. If the serial number is new, the previous finding’s rescan status is marked as Asset Not Found.

Asset Not Reached finding rescan status, Asset Not Found finding rescan status

March 25, 2024: “No findings/low findings” changed to “insufficient data.”
November 29, 2023: Remediation and finding behavior recommendations.
November 10, 2023: Linked to finding messages.