Desktop users logging in to LinkedIn this week were briefly warned by their browsers that doing so was likely to be insecure – after the Microsoft-owned platform let an SSL certificate expire; an embarrassing lapse for a social network with 610 million-plus users.
The issue – which affected the lnkd.in short link Tuesday afternoon – was pointed out to the company by a range of users, including Texas-based Forcepoint‘s Carl Leonard, who noted that it is the second time LinkedIn has let this happen; a cert also expired in 2017.
LinkedIn SSL Lapse: Not the First Time…
He told Computer Business Review in an emailed comment: “Large organisations with hundreds of millions of users globally should be setting the standard for security practices and unfortunately this is the second time that LinkedIn failed to update their SSL certificate, effectively putting user data and privacy at risk.”
Read this: Certificate Management: Avoiding a World of Pain
“Although this expired certificate only appeared to affect desktop users of LinkedIn, users had to rely on their browsers to alert them to the risks associated with the site. In some cases this may have led to confusion or encourage users to override error messages without understanding the security implications.”
Easily Done, but No Excuse…
SSL certificate expiration can have sharp knock-on consequences on both the consumer and enterprise side: users run the risk of their personal information being stolen via man-in-the-middle attacks, while website owners typically face a notable decline in sales and corporate revenue, along with reputation.
The timing was unfortunate for LinkedIn, coming as it did the day it launched a redesigned homepage for its Sales Navigator function (designed to make it easier for sales teams to identify company changes and improve CRM integrations.) The harm appears to have been minimal however.
Others have got off less lightly: December 2018’s outage for tens of millions of mobile customers using O2, Softbank, and other services was ultimately attributed to a certificate outage, which then caused the failure of the Ericsson systems that provided data to their mobile devices. 2017’s massive Equifax data breach was also due in part to the failure of a system set to monitor data exfiltration, which suffered a certificate expiration and ceased to operate.
A wide range of companies provide automated certificate monitoring and replacement; essential to protect against unexpected expirations. LinkedIn has little excuse for letting it happen…
Sectigo’s Tim Callan told Computer Business Review: “[In today’s complex IT climate] enterprises face the real risk of a developer group standing up critical services without coordinating their certificate deployment with central IT. These embedded groups often lack the disciplined PKI practices that central IT may have developed over the years. As a result, critical systems may depend on unknown certificates, which can be ticking time bombs that could expire on any given day.”
He added: “High visibility certificate expirations unfortunately are quite common among major technology services. Certificate discovery can scan the enterprise’s full network space, finding unknown certificates and bringing them under central IT’s management. In addition to avoiding surprise expirations, central IT will also be able to ensure all certificates meet external compliance requirements as well as internal certificate standards.”