View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
May 22, 2019updated 23 May 2019 6:38pm

LinkedIn Lets SSL Certs Lapse (Again)

LinkedIn guilty of the same issue in 2017

By CBR Staff Writer

Desktop users logging in to LinkedIn this week were briefly warned by their browsers that doing so was likely to be insecure  after the Microsoft-owned platform let an SSL certificate expire; an embarrassing lapse for a social network with 610 million-plus users.

The issue – which affected the short link Tuesday afternoon   was pointed out to the company by a range of users, including Texas-based Forcepoint‘s Carl Leonard, who noted that it is the second time LinkedIn has let this happen; a cert also expired in 2017.

LinkedIn SSL Lapse: Not the First Time…

He told Computer Business Review in an emailed comment: “Large organisations with hundreds of millions of users globally should be setting the standard for security practices and unfortunately this is the second time that LinkedIn failed to update their SSL certificate, effectively putting user data and privacy at risk.”

Read this: Certificate Management: Avoiding a World of Pain

“Although this expired certificate only appeared to affect desktop users of LinkedIn, users had to rely on their browsers to alert them to the risks associated with the site. In some cases this may have led to confusion or encourage users to override error messages without understanding the security implications.”

Easily Done, but No Excuse…

SSL certificate expiration can have sharp knock-on consequences on both the consumer and enterprise side: users run the risk of their personal information being stolen via man-in-the-middle attacks, while website owners typically face a notable decline in sales and corporate revenue, along with reputation.

The timing was unfortunate for LinkedIn, coming as it did the day it launched a redesigned homepage for its Sales Navigator function (designed to make it easier for sales teams to identify company changes and improve CRM integrations.) The harm appears to have been minimal however.

Others have got off less lightly: December 2018’s outage for tens of millions of mobile customers using O2, Softbank, and other services was ultimately attributed to a certificate outage, which then caused the failure of the Ericsson systems that provided data to their mobile devices. 2017’s massive Equifax data breach was also due in part to the failure of a system set to monitor data exfiltration, which suffered a certificate expiration and ceased to operate.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

A wide range of companies provide automated certificate monitoring and replacement; essential to protect against unexpected expirations. LinkedIn has little excuse for letting it happen…

Sectigo’s Tim Callan told Computer Business Review: “[In today’s complex IT climate] enterprises face the real risk of a developer group standing up critical services without coordinating their certificate deployment with central IT.  These embedded groups often lack the disciplined PKI practices that central IT may have developed over the years.  As a result, critical systems may depend on unknown certificates, which can be ticking time bombs that could expire on any given day.”

He added: “High visibility certificate expirations unfortunately are quite common among major technology services.  Certificate discovery can scan the enterprise’s full network space, finding unknown certificates and bringing them under central IT’s management.  In addition to avoiding surprise expirations, central IT will also be able to ensure all certificates meet external compliance requirements as well as internal certificate standards.”

See also: DigiCert CEO John Merrill on Symantec, “Hellacious” Projects, Fake News and Quantum Certificates

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.