Identify and fix vulnerabilities in your SSL certificates
Posted on 25 February 2014.
DigiCert announced DigiCert Certificate Inspector, a tool designed to quickly find problems in certificate configuration and implementation, and provide real-time analysis of an organizationís entire certificate landscape, including SSL termination endpoints.

SSL/TLS certificates are a key defense against unwanted surveillance of online user activity. Yet, too often system administrators fail to properly configure certificates, unknowingly leaving open vulnerabilities.

Keeping up with the latest security best practices as well as monitoring certificates is a daunting task, particularly for enterprises managing thousands of certificates. Frequently, manual tracking processes are used, which introduce human error and result in downtime or unknown security vulnerabilities such as configuration with cipher suites vulnerable to CRIME, BEAST, BREACH or other attacks.

In other cases, departments outside of IT might deploy their own certificates, creating a blind spot for Administrators. This also can lead to configuration challenges that downgrade the effectiveness of the SSL certificates upon which organizations rely.

With Certificate Inspector, security professionals can discover forgotten, neglected or misconfigured certificates, and identify potential vulnerabilities, such as weak keys, problematic ciphers and expired certificates. For each potential threat detected, the tool provides a list of remediation activities.

Certificate Inspector scans the userís network detecting all certificates in use, inspects SSL configuration and implementation, and then displays the results in an intuitive and interactive dashboard.

Security professionals can use the the tool to:
  • Establish their security baseline with a real-time, comprehensive overview of SSL certificates and their termination endpoints across the entire network.
  • Detect vulnerabilities via scanning for problematic certificates or server configurations and easily review results using Certificate Inspectorís intuitive dashboard.
  • Analyze security data points either by aggregate or specific to each certificate and endpoint.
  • Mitigate discovered vulnerabilities, such as BEAST, and lack of compliance with industry guidelines such as the CA/Browser Forum Baseline Requirements, through recommended steps.
  • Renew expiring certificates through DigiCertís express provisioning process.
  • Archive snapshots from each detection event to document improvements over time.
  • Run reports from any location with DigiCertís cloud-based administrative controls.
Using a proprietary algorithm, the Certificate Inspector analyzes SSL certificates and termination endpoints for many security factors, including:
  • Weak keys, ciphers and hash algorithms
  • SSL/TLS versions
  • Expiring certificates
  • TLS renegotiation
  • Perfect Forward Secrecy
  • Configuration vulnerability to CRIME, BREACH, BEAST, etc.
  • Mismatched server/certificate names
  • Missing AIAís.
For each SSL certificate and termination endpoint, administrators receive a vulnerability report, a corresponding grade and a quick list of best practices for mitigating discovered weaknesses.

ďBy providing actionable information about certificate configuration and deployment status, combined with remediation tools, DigiCert helps organizations close the gap between certificate procurement and secure certificate deployment,Ē said DigiCert CEO Nicholas Hales. ďThe deployment of securely configured certificates is an important line of defense against unwelcomed surveillance. Certificate Inspector will help organizations shine a light on the areas within their network that could pose lurking threats. We believe that this tool can build upon the efforts of others in the security community to improve online trust in a new, tangible way.Ē


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th