- August 16, 2023: New Grading & Finding Behavior sections.
- May 11, 2020: Updated description.
The TLS/SSL Certificates risk vector evaluates the strength and effectiveness of the cryptographic keys within TLS and SSL certificates, which are used to encrypt internet traffic. Certificates are responsible for verifying the authenticity of company servers to associates, clients, and guests, and also serves as the basis for establishing cryptographic trust.
Risks
When communications are not properly secured or encrypted, traffic sent to the host are unencrypted. Personal customer or employee information, including passwords, can become publicly visible to observers and may lead to data breaches.
Grading
See how the TLS/SSL Certificates risk vector is graded.
Concept | Behavior |
---|---|
Lifetime | 60 Days |
No Findings |
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data. This is set in the center of the grading scale for computing into Bitsight Security Ratings. If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
(Out of 70.5% in Diligence) |
10% |
Remediation
Review TLS/SSL Certificate findings.
- Review the Certificate Authority Best Practices and implement effective TLS/SSL certificates.
- Obtain valid and up-to-date TLS certificates from an industry certificate authority.
- Select a stronger signature algorithm (like SHA-256).
Finding Behavior
Concept | Behavior |
---|---|
Refresh |
Automated: 60 Days User-Requested: 3 Days |
Remediated |
A new finding is created and the old one needs to complete its lifetime.
Findings with a certificate serial number identical to the previous record are considered to be the same finding. If the serial number is new, the previous finding will have an Asset Not Reached refresh status. |