TLS/SSL Certificates Risk Vector

TLS/SSL Certificates is a Diligence risk vector. It evaluates the strength and effectiveness of the cryptographic keys within TLS and SSL certificates, which are used to encrypt internet traffic. Certificates are responsible for verifying the authenticity of company servers to associates, clients, and guests, and also serves as the basis for establishing cryptographic trust.

See data collection methods.

Risks

When communications are not properly secured or encrypted, traffic sent to the host are unencrypted. Personal customer or employee information, including passwords, can become publicly visible to observers and may lead to data breaches.

Grading

See how the TLS/SSL Certificates risk vector is graded.

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 60 Days

Insufficient Data

A default risk vector grade is assigned if there's no data or data is insufficient.

Default Grade:

This is set in the center of the grading scale for computing into Bitsight Security Ratings.

Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external data gathering tools from getting any data.

❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.

Weight

The TLS/SSL Certificates risk vector contributes to the weight of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: 10%

Remediation

The most common issues with TLS/SSL certificates stem from:

• A lack of appropriate signatures (no root or leaf certificate in chain, self-signed certificate, expired certificate).
• The enablement of insecure ciphers.

Resources

• Certificate Authorities
• Certificate Best Practices
• Findings
• Finding Messages

Recommendations

• Use the Certificate Key Evidence field to identify the asset and then refer to the Remediation Instructions provided in the Finding Details.
• Review TLS/SSL Certificate findings. See all finding messages.
• Implement effective TLS/SSL certificates.
• Obtain valid and up-to-date TLS certificates from a certificate authority.
• Select a stronger signature algorithm (like SHA-256).

See:

• What To Do After Remediation
• TLS/SSL Finding Remediation & Remediation Verification

Rescan Base Duration

The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan: 30 Days

Priority Scanning: Daily automated scans for EASM Enhanced customers, providing faster updates and continuous visibility into new exposures.

Instant Reply: Instant reply under Beta Program. See timeline for details.

Finding Behavior

The behavior of findings based on remediation and rescan statuses:

• New Certificate
• New Observation
• Remediated
• Replacement findings are not applicable.

New Certificate

Findings with a certificate serial number identical to the previous record are considered to be the same finding. If the serial number is new, the previous finding’s are considered remediated and stop impacting the rating.

New Observation

New observations immediately impact the grade and are assigned its lifetime.

Remediated

• The newest finding improves the grade and impacts the grade for 60 days, as it completes its lifetime.
• The previous finding stops impacting the grade once remediated by taking the asset offline or issuing a new certificate.