Let’s Encrypt is a free, automated, open certificate authority (CA) run for the public’s benefit as a service from the Internet Security Research Group (ISRG). It provides free digital certificates to enable HTTPS (SSL/TLS) for websites via user-friendly means.

Earlier this week, Let’s Encrypt announced that a bug in its validation code forced it to revoke more than 3 million certificates. The bug allowed subscribers (under specific circumstances and for a limited period) to issue certificates to a domain name even after the domain name holder explicitly prohibited the issuance of certificates through the use of DNS CAA.

This blog explains the implications of the incident. It provides details on the impact it can have on organizations utilizing Let’s Encrypt revoked certificates. It outlines steps for remediation and provides a link to Qualys CertView, a free tool that can be used to identify all affected certificates in users’ environments.

Continue reading …

Visibility and control of digital certificates remains a challenge for even the largest enterprises, as evidenced by a high profile incident this week affecting Microsoft’s LinkedIn. Users accessing LinkedIn on Tuesday got a warning from their browsers alerting them about an insecure connection. The culprit: An expired TLS certificate.

In a statement to the press, LinkedIn said it experienced a “brief delay” in updating a digital certificate, and stated that member data wasn’t affected. Yet, the incident spotlights a nagging issue that frequently trips even the most technically savvy companies in the world: Digital certificate management.

Qualys SSL Labs’ SSL Pulse, which monitors the quality of SSL/TLS support across 150,000 of the most popular websites in the world, rated about 33% of the sites monitored as having inadequate security in its May report. A few thousand of these sites had expired certificates.

Continue reading …

Recently new vulnerabilities like Zombie POODLE, GOLDENDOODLE, 0-Length OpenSSL and Sleeping POODLE were published for websites that use CBC (Cipher Block Chaining) block cipher modes. These vulnerabilities are applicable only if the server uses TLS 1.2 or TLS 1.1 or TLS 1.0 with CBC cipher modes.

Update May 30, 2019: The grade change described below is now live on https://www.ssllabs.com/

Continue reading …

The Qualys Training team has expanded the AssetView & Threat Protection course, and added two new training series: CertView and Troubleshooting Scanner Appliance Error Codes.

These new additions build on last month’s update, when we introduced the new Vulnerability Management learning path, which takes you from the fundamentals through advanced topics, and ensures you have a complete foundation in Qualys technology.

The Qualys Training team brings you these updates to help you learn quickly how to get the most value from your Qualys subscription. Read on for more detail on what’s new this month.

Continue reading …

How many digital certificates are in use in your organization? When do they expire? Do you have a way of discovering digital certificates from unapproved Certificate Authorities?

Most organizations can’t answer these questions with complete certainty, because they lack the necessary visibility and control over their certificates. This creates the potential for security lapses, since SSL/TLS certificates are critical for the integrity and protection of a host of e-business functions.

With proper certificate management, organizations can cut their risk of breaches and unplanned outages, and continuously and effectively protect their digital assets, Asif Karel, a Qualys Director of Product Management, said recently during a webcast.

Since their creation in the mid-1990s, digital certificates have provided security for Internet traffic. They’re meant to ensure the confidentiality, authenticity, integrity and non-repudiation of online communications in public-facing online services, internal services, machine-to-machine communications, public cloud services and API integrations.

During his webcast, Karel outlined the current challenges organizations face with certificate visibility, and explained how Qualys can help with CertView, a free app available now.

Continue reading …

This release of the Qualys Cloud Platform version 2.33 includes the release for CertView, plus updates and new features for AssetView, Cloud Agent, EC2 Connector, Security Assessment Questionnaire, Web Application Scanning, and Web Application Firewall, highlights as follows.  (This posting has been edited to include an update to WAS that is available in a patch release.)

Continue reading …

Digital certificate management is in an inadequate state at most organizations, a serious problem, considering that SSL/TLS certificates are critical for a host of e-business functions.

“If you’re doing something on the Internet, you’re using SSL,” Asif Karel, a Qualys Director of Product Management, said at the RSA Conference 2018.

Specifically, digital certificates are used to ensure the confidentiality, authenticity, integrity and non-repudiation of public-facing online services, internal services, machine-to-machine communications, public cloud services and API integrations.

During his presentation, Karel outlined the current challenges organizations face with certificate visibility, and explained how Qualys can help with CertView, a free app available now.

Continue reading …