In theory, SSL certificates are easy to manage. You install them on your server, then periodically use special tools to monitor potential SSL vulnerabilities, and once in a year or two, you renew your certs. Seems straightforward when you have just one or a few certificates to look after.
You can set a reminder for the expiration date, and your CA will also notify you via email. Moreover, leading CAs offer automated certificate management tools to help large companies manage hundreds of SSL certificates. Nevertheless, SSL expirations are still prevalent among different industries, and when they hit a large company or institution, the losses incurred may amount to millions of dollars, not to mention the high-security risks they create.
When an SSL certificate expires, it brings all kinds of trouble to your brand. Browsers flag your website as Not Secure, visitors see red security warnings, customers move to competition, and your reputation is in ruins. While large companies, may get away with just a stain on their image, small and medium-sized businesses could suffer serious damages, all because they forgot to renew their certificates on time.
The recent history isn’t short of case studies when it comes to SSL expiration. From government websites to social media networks, and gaming apps, all are guilty of missing their SSL renewal deadline. Below, we present five instances when big organizations let their SSL certificates expire:
US government lets dozens of certs expire during shutdown
When Donald Trump and the Democrats refused to compromise on the Mexican wall funding, thousands of employees had been furloughed for 30 days or longer. As a result, dozens of federal websites ranging from the U.S. Department of Justice to NASA saw their certificates expire. With no admins to renew the certs, several websites with tighter security standards became inaccessible. The whole debacle jeopardized users’ sensitive data and encouraged hackers to use man-in-the-middle attacks on affected sites.
UK Conservative party lets SSL certificate expire
Across the Atlantic, on the British Isles, there were no shutdowns to disturb the usual flow of work. But it seems that Brexit has taken its toll not only on the politicians but the system admins as well. In what a Twitter user labeled as “an embarrassing gaffe”, someone forgot to renew the UK’s Conservative Party’s SSL certificate. This a prime example of how an avoidable security breach could damage a political party’s volatile reputation. As if Brexit was not enough, the Tories had to deal with “Certxit” too.
An expired SSL certificate takes millions of smartphones down
Away from politics, in the tech world, which presumably should have far better security standards, Swedish telecommunications company Eriksson, experienced a massive network outage that affected almost dozens of countries and took millions of smartphones down. The reason? An expired SSL certificate. A small digital file created chaos across the Eriksson network, with company representatives admitting that the incident was entirely preventable.
LinkedIn lets its certificates expire twice in two years
As if one SSL expiration is not enough to raise serious questions about a company’s security practices, social media giant LinkedIn topped the headlines twice for all the wrong reasons. First, certificate mismanagement let LinkedIn’s SSL cert for country subdomains expire, then, one year later, the SSL for the link shortener Inkd.in created outages in the UK and US. In both instances, the social media company swiftly renewed its certificates, but the downtime still affected not only its image, but its customers and partners as well.
Pokemon Go suffers SSL expiration outages
When Pokemon Go took the gaming world by storm, millions of users worldwide hunted Pokemons in the most peculiar places. Popular as it was, one day the game went down because Niantic, the company behind it, forgot to renew their SSL certificates. While the outage lasted only half an hour, such a blunder shouldn’t happen at a large gaming company.
Judging by the above examples, managing SSL certificates isn’t always easy. With so many companies caught off guard by the SSL expiration, the need for automation is higher than ever. Many CAs already provide automated renewal services. It’s up for businesses to take a step forward and ensure their certificates never expire again.