Every day people use the internet to buy new clothes, manage their bank accounts and view their health records. This information is sensitive and needs to be kept safe, the main mechanism for this is encryption. For the internet, this means wrapping the language of the web, Hypertext Transfer Protocol (HTTP) with SSL (Secure Socket Layer), making HTTPS. Using SSL adds a layer of security to the HTTP protocol by encrypting the transferred data.
SSL provides three main security benefits
- Confidentiality: SSL ensures that data transferred between your company and your client cannot be seen by someone else.
- Integrity: It validates that the data being sent to and from your client is the data that is expected to be sent and received.
- Authentication: It guarantees that your client is doing business with your company – not someone pretending to be your company.
HTTPS vs. SSL
You can create a Web Monitor in Catchpoint which uses HTTPS to connect to your website. This gives you visibility into the performance of your website, including SSL time – the time to complete the SSL handshake and make an SSL connection. This is a great approach for monitoring the application but falls short for monitoring the SSL configuration itself.
For example, what happens if the certificate expires? Or even worse, what if the certificate has been revoked due to a data breach? Monitoring your SSL certificate can immediately make you aware of these incidences which is why Catchpoint has introduced the SSL monitor. This monitor helps ensure the connection is safe by validating that the certificate has not been revoked or changed along with certificate pinning and specialized alerts.
What is SSL?
SSL is a security protocol used to secure the connection between a client and server. The client in the case of HTTPS is the browser. When the browser makes a secure connection with a website, the browser validates the server’s certificate. If the certificate is not valid, the browser will illustrate a warning message to the user. Since the connection is not secure, most users will not enter the site, thus losing user traffic and potential revenue. Therefore, it’s necessary that all companies monitor the validity of their certificates.
Using SSL prevents Man-in-the-Middle attacks – where a hacker pretends to be the client and the server, manipulating the communication between the two.
An SSL test can prevent this as the attacker would need to know the private key of the certificate to decrypt the information being sent. This information is typically only known by the owner of the certificate. However, a compromised certificate means that a third party can monitor communications (breaking confidentiality), modify data (breaking integrity), and pretend to be either the client or the server (breaking authentication).
If a certificate is compromised and revoked, the SSL monitor will detect this as it verifies revocation lists. If a certificate is replaced by a fake, the SSL monitor will detect it using pinning. Within the SSL monitor, these options can be configured to enhance the validity of the certificate being tested.
Catchpoint SSL configurations
When a certificate has been compromised, it is imperative that all servers stop trusting the insecure certificate. The certificate is put on the Certificate Revocation List (CRL) which the browser checks to validate the certificate. However, depending on the customer’s Operating System or configuration, there may be a delay in obtaining the latest CRL. With the SSL test at Catchpoint, we always check the revocation list. Although most enjoy this automatic feature, we do allow users to disable it.
While using the SSL monitor, you have the option to perform certificate pinning. You can upload a certificate which is compared to the test certificate. Certificate pinning validates that the two certificate thumbprints are the same. If a malicious actor changes your certificate without permission, Catchpoint will alert you.
Public Key Pinning
Public key pinning is the same as certificate pinning; however, instead of comparing the thumbprints, the check is done using the public key. Pinning is a great validation check because if a certificate has been tampered with, then the thumbprint and or public key would not be the same as the uploaded certificate. This helps to ensure that the certificate is secure and continues to be safe.
Alert on Weak Algorithm
There are several types of algorithms used to sign certificates. Some are stronger than others because of the hashing technique used and the length of the result. Catchpoint will let you know if the algorithm your certificate uses is weak. If so, you should change out your certificate for one that uses a better signing mechanism. This is important because certain browser configurations do not support weak algorithms, so you are missing out on potential customers who use those browsers. For example, SHA-1 has been deprecated and is no longer allowed by Google Chrome.
Alert on Certification Expiration
Certificates are only valid for a given set of time. Once the certificate has expired, the certificate will fail everywhere, and your customers will no longer be able to access your site. Catchpoint gives you the ability to alert on when the certificate will expire with a self-configured days until expiration alert. Your company will not have to worry about forgetting the certificate expiration date as Catchpoint will remind you. Accidentally letting your certificates expire is more common than you think –just last year it happened to LinkedIn and Pokemon Go, among others.
Overall, Catchpoint’s SSL monitor helps you ensure that your certificate is kept valid and thus the information being passed between the client and the server stays secure. You can trust that the HTTPS connection will continue to work properly and in the case of your certificate being compromised, Catchpoint will notify you immediately.
This post was co-written by Kimberly Tobias and Anand Patil of Catchpoint.