Risks of Self-Signed Certificates

Why You Need SSL Certificates?

On any average day, you could be logging in to your bank account to make financial transactions. You might visit your health insurance provider’s online portal. You could be signing in to your email provider, or using your email account to log in to a bunch of web applications for your daily job. That is a lot of sensitive data being sent and received in a regular web browsing session, and your data transfer needs to be secure. 

HTTPS, the secure version of HTTP, ensures safe and secure data transfer between your web browser and any website on the internet by encrypting underlying data. A padlock on the URL bar indicates that the website uses HTTPS, meaning your browsing session is secure. Otherwise, your browser will warn you that the website is ‘not secure’. 

HTTPS uses the Secure Sockets Layer (SSL) protocol for data encryption (also known as Transport Layer Security – TLS). SSL encryption needs two components to work – a public key and a private key. The private key is stored on a web server, and only the website owner can access it. Meanwhile the public key is made available to anyone who wishes to interact with the web server in a secure manner. The website uses the private key to decrypt data that is encrypted using the public key. 

Control Your Certificates Before They Go Rogue!

That’s where SSL certificates come into play. Essentially, an SSL certificate is a data file hosted on the website’s origin server that contains the following information:

    • Name of the Certificate Authority (CA) that issued the certificate
    • Issuing CA’s digital signature
    • Website domain name the certificate was issued for
    • Name of the person, organization, or device it was issued to 
    • All associated sub-domains
    • Issue date and expiration date of the certificate
    • The Public Key

Here’s why your website needs an SSL certificate:

1. SSL Encryption

Any web browser attempting to communicate with a website will reference its SSL certificate in order to obtain the public key, encrypt data and carry out secure communication. Since SSL certificate contains the public key, it becomes SSL/TLS encryption becomes important.

2. Authentication

Before exchanging sensitive user information, the web client i.e the browser needs to verify it is communicating with the right server that actually owns the domain. To do this, browsers verify the identity of the website by checking domain ownership information contained on the SSL certificate. This protects against domain spoofing attacks. 

Risks of Self Signed Certificates

What are Self-signed SSL Certificates?

SSL certificates are usually issued by well-known, publicly trusted CAs. Some large organizations have their own dedicated internal public key infrastructure (PKI), and function as a private certificate authority to issue SSL certificates. Such certificates are ‘privately trusted’ and used to authenticate users and devices on an internal network. 

However, it is also possible to issue a certificate that is not signed by any CA, public or private. Instead of requesting a private key from a CA, a self-signed certificate is signed with its own private key. Self-signed certificates are created, issued, and signed by the company or developer responsible for maintaining the website that needs to be signed. Self-signed certificates are free, and might work for internal websites. While this could be a way to reduce costs on certificates for internal-facing websites, it can open up organizations to serious security risks.

Security Risks of Self-signed SSL Certificates

  • Unsafe Browsing Habits: When a browser encounters a website with a self-signed certificate, it throws up a warning that says ‘This connection is not secure’. Users are required to accept the risk for accessing the website content, by ignoring error messages like “error_self_signed_cert” or “err_cert_authority_invalid”. Users could get accustomed to ignoring such security warnings, resulting in risky behavior even on public websites. This could make your organization vulnerable to malware and other cyber attacks.
  • Lack of Visibility: Self-signed certificates can be obtained by bypassing the formal request and approval processes. Because of this, such certificates can create security blind spots in your network infrastructure. It is nearly impossible to keep track of how many certificates exist, where the certificates are installed, who owns each certificate, and how the private key is stored. If your corporate network is breached, you would have no way of knowing if it was due to a self-signed certificate and its private key being compromised.
  • Lack of Control over Certificates: Since it is not possible to maintain an inventory of self-signed certificates, organizations will lack visibility into the issue dates and expiry dates of such certificates. It is quite possible that at any point, multiple certificates might have expired without your knowledge. This leaves your network vulnerable. Attackers can spoof self-signed certificates to perform man-in-the-middle (MITM) attacks. Trouble is, even if you pinpoint the network breach to a particular certificate, self-signed certificates cannot be revoked. This inability to revoke the private key associated with a self-signed certificate is a serious security risk.
  • Loss of Web Traffic: Modern web browsers are equipped to detect websites without credible certificates. Even the absence of visual trust indicators like a padlock symbol on the URL bar and ‘HTTPS’ in front of the domain name, can be seen as a red flag for most seasoned web users. When users try to access your website with a self-signed certificate, they would face an error message informing them that the signing entity is not trustworthy. Users are asked if they are willing to accept the risks and proceed to access the website content. This could potentially turn away visitors who are wary of security risks. Moreover, this directly affects conversions to leads, prospects, and paid customers, i.e, self-signed certificates can cause loss of business. Not to mention the damage to your brand’s reputation and the erosion of customer trust.

Conclusion

Organizations need not compromise on a secure certificate infrastructure to save on costs. AppViewX makes it possible to easily deploy SSL certificates and monitor them throughout the certificate lifecycle, without making heavy investments in hardware or security professionals. Schedule a call with one of our experts to learn more about our turnkey solutions for certificate lifecycle management.

Let’s get you started on your certificate automation journey

Tags

  • certificate lifecycle management
  • Certificate Management
  • SSL Certificate Lifecycle Management

About the Author

Want more great content?

Subscribe to our blog to get tech tips, industry news, and thought leadership articles right in your inbox!

Related Articles

| 5 Min Read

Cyberattack shuts down Ecuador’s largest bank, Banco Pichincha

| 5 Min Read

Are You Aware of Every Certificate Used in Your Enterprise?

| 6 Min Read

Machine Identity Management Trends – 2022 and Beyond