Last week, on Thursday 30 September, a root certificate from Let’s Encrypt expired. This is not uncommon in itself, but as the certificate had no update or alternative, it meant that all domains and subdomains running the certificate were suddenly no longer listed as SSL / TLS-secured. The result: thousands of web pages and applications failed and were unable to serve the content people requested. What went wrong? And what can organisations do to fix similar issues in the future?
Importance of root certificates
Let’s Encrypt is an open Certificate Authority, providing organisations with the security certificates to enable HTTPS on domains. Last Friday, one of their root certificates was set to expire, specifically the IdentTrust DST Root CA X3 certificate. That caused a problem for all of the security certificates that Let’s Encrypt assigned to their customers with this root’s private key. As the root certificate was gone, all security certificates related to it were suddenly missing the trusted foundation. Thus, tons of websites were no longer seen as secure and wouldn’t load.
Now, Let’s Encrypt provides their services for free, for the benefit of the internet. It doesn't seem fair to put blame on them, or any single organisation we use on the internet. Things like these can be considered as risks that need to be taken into account. Still, plenty of organisations were left to their own devices, having to implement a work-around for the problem.
Know your certificate supply chain
Your organisation’s online services get their security stamp of approval from these certificates. Knowing where your dependencies are in case something goes wrong is critical for the continuation of your processes. This is all part of your organisation’s attack surface.
When you have an overview of your digital assets and the certificate supply chain, you are also able to run specific queries to find the certificates that might cause a problem. For our clients, we were able to run the following simple CyberQL command
certificate.issuer_organization = "Let's encrypt"
and immediately get a list of all Let’s Encrypt certificates within their attack service. From there, we are able to filter on details and see if any have expired – or better yet: are about to expire. When combined with automated alerts, you can take action before your online services are disrupted.
Want to learn more about attack surface management? Read our blog on how you can detect the risks within your attack surface.