Root SSL Certificate Expiry and What Happens Next for Brands 1

Root SSL Certificate Expiry and What Happens Next for Brands

A root certificate used by Let’s Encrypt has expired and caused problems for some companies and users.

Foto Artikel : Mengelola Kebocoran Emosi - Kompasiana.com

The specific root certificate mentioned here that expired on 30 September 2021 is the IdenTrust DST Root CA X3. It was created back then in the year 2000, which has a validity period from 30 September 2000 to 30 September 2021. Most people probably won’t be affected by this expiry problem, but certain groups of people or companies have definitely come across some problems caused by this expiry, particularly those that that are still using old devices, old system infrastructure or old versions of operating system.

To understand the reason why this happens, it is important to know about how Certificate Authorities (CA) work and how the SSL certificate chains work. It is important to understand the concept of chain of trust in terms of SSL certificate, which is the foundation of the entire SSL certificate industry.

To make it simple, all certificates that enable HTTPS on the Internet are issued by a CA, an organisation that is trusted and accepted by devices or operating system (OS). For example, the image below shows the list of “Trusted Root Certificate Authorities (CA)” on a Windows 10 device.

Root SSL Certificate Expiry and What Happens Next for Brands 2

The different levels in the hierarchy of SSL certificates

SSL certificate is usually categorised into 3 levels of hierarchy, the top-level root certificates, followed by the second level intermediate certificates and lastly the third level leaf certificates or end-entity certificates.

CA function as an entity to issue root certificates, which is the top-most level in the hierarchy of the certificate chain of trust. Most of the time, they are typically valid for around 20 years. These root certificates are then used to issue the second level intermediate certificates, which are typically valid for around 3 – 6 years. The intermediate certificates are then used to issue the third level leaf certificates, the ones that websites around the world get. They are typically valid for around 90 days to 1 year.

These 3 levels of SSL certificate work together to establish a chain of trust, which serves as the foundation of how the SSL certificate industry works. Leaf certificates are chained to intermediate certificates, while intermediate certificates are chained to root certificates. In the case of the expiry of Let’s Encrypt’s root certificate, IdenTrust DST Root CA X3, the image below shows its chain of trust.

ISRG Certificate Hierarchy Diagram, as of December 2020

Let’s Encrypt root certificate expiry

Using Expired Detergent - Alconox Blog: TechNotes

Now that IdenTrust DST Root CA X3 has expired, any users of SSL certificates that were chained to this root certificate will face problems when trying to access the Internet. Some services by famous brands might also face interruptions in delivering their service to end users due to this problem. As the scale of usage of Let’s Encrypt’s SSL certificate is very large, probably millions of people or companies will be affected, particularly those that use old devices, old system infrastructure or old versions of operating system as mentioned above.

Scott Helme, a security researcher, entrepreneur and international speaker who specialises in web technologies, listed in his blog the clients that will break after the IdenTrust DST Root CA X3 expires. These include versions of macOS older than 10.12.1, Windows versions older than XP Service Pack 3, iOS versions older than iOS 10, OpenSSL versions less than and including 1.0.2, and Firefox versions older than 50.

What happens when a root certificate expires?

Let’s Encrypt’s Executive Director, Josh Aas, mentioned that when leaf certificates (end-entity certificates) expire, it typically has very little impact, as it only pertains to a small number of websites and they renew automatically. However, when root certificates expire, there can be more widespread impact because the number of certificates chained to them is larger, hence client operating systems or browsers may need to be upgraded to fix problems. However, that isn’t always an option for older devices or deployments.

When root certificates expire, most clients’ devices or operating systems will automatically update the system list of “Trusted Root Certificate Authorities (CA)”, and the expired root certificate will be automatically removed through system updates. From here onwards, whenever the clients come across any SSL certificate that chains from the expired root certificate, an error occurs. An example of the error message of an expired SSL certificate is shown below.

Root SSL Certificate Expiry and What Happens Next for Brands 3

A note worth mentioning is that the browser Firefox maintains its own list of trusted root certificates, independent from a system’s built-in list. You can learn more about it here.

Conclusion

As Let’s Encrypt SSL certificate comes free, therefore the team behind it is not really required to provide users with any service commitment in situations like this. When it comes to issues like this, it is up to the user’s technical capabilities to solve them. The best there is to offer is the community forum support from the people who are passionate about it.

Besides, with the recent outages of mainstream services such as Facebook, Instagram and WhatsApp, which went down for 6 hours on October 5, 2021, it is important to advise your customers to have a backup plan for their online business, in case unfortunate events all happen at the same time and affected their business operations severely.

The Small Business Guide to Cybersecurity | SCORE

The best advice you can give to your customers is to always build their own website, instead of relying on free services, as mainstream service is not a guarantee that it will last until the end. With this in mind, WebNIC wants to help you to assist your customers in building their website and owning their domain names. You can now pay a very little amount to get a DV SSL certificate (from as low as USD4.00 only) for 1 year, with access to guaranteed support from WebNIC. Let your customers know that having a website is much safer, because if social media dies off, at least they would not disappear completely with it in the online world, because there is still a backup ready.

Register domain and buy SSL certificates for your customers with WebNIC

DigiCert Smart Seal

WebNIC is an accredited registrar of over 800 TLDs and a trusted provider of more than 50 brands of SSL certificates to suit your different needs. We have more than 20 years of experience in the domain wholesale and reseller service, as well as more than 7 years of SSL certificate experience. You can be assured that we will provide the best service experience in helping you to register domains and buying SSL certificates. Join WebNIC as a domain and SSL certificate reseller to start selling with us today!

About WebNIC

Root SSL Certificate Expiry and What Happens Next for Brands 4

WebNIC operates a digital reseller platform covering primarily domain name registration for over 800 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at [email protected].

Q2 2021 Top 10 Most Impersonated Brands in Domains 5

Q2 2021 Top 10 Most Impersonated Brands in Domains

What are the top 10 most impersonated brands in Q2 2021 in terms of spoof domains?

Phishing, monetary gain and supply chain attacks characterise cybercrime - Opera News

Cybercriminals often use spoof domains to impersonate world-renowned brands to trick Internet users into giving their confidential information to them. In addition, they also use these spoof domains as attack vectors to perform cyberattacks, such as malware distribution, ransomware, virus etc.

The easiest way for cybercriminals to do so is to take advantage of the reputation of famous brands. Therefore, they love to impersonate these brands by using domains that contain the brands’ names, use similar typo which involves a brand name or the more advance method of hosting content that mimics the brand’s content. It is important to prevent all these threats by implementing digital brand protection measures.

Cybercriminals love to impersonate famous brands and here are the top 10 most impersonated brands in Q2 2021.

Q2 2021 Top 10 Most Impersonated Brands in Domains 6

The graph above shows that these brands are the most impersonated brands when it comes to spoof domains. It is quite a problem because this means cybercriminals are intentionally registering spoof domains related to these brands to defraud end users. In other words, the domain attack surface size of these brands is large, because there are many spoof domains related to their brand name. As a result, they tend to be more vulnerable and have a higher chance of being taken advantage by cybercriminals to damage their brand reputation and image.

As a part of cybersecurity measures, there is a continual and never-ending process known as domain attack surface discovery. In this process, cybersecurity professionals discover spoof domain and subdomain names related to a brand that can be used as attack vectors to launch cyberattacks. The larger the domain attack surface, the more vulnerable a brand is. On the other hand, the more attack vectors discovered by cybersecurity professionals, the higher the chance to mitigate a cybersecurity incident.

In this blog, we will address these main questions to give you a better idea of what is the domain attack surface for 10 most spoofed brands:

  1. What percentage of the domains discovered can be publicly attributed to the brands they contain?
  2. What top-level domains are mainly used?
  3. Are any of them already considered malicious?

The brands mentioned here are based on a study by Check Point’s Brand Phishing Report. The report lists companies that are found to be the most imitated brands by hackers in their phishing campaigns.

How large is the total domain attack surface size accumulated across these 10 brands?

The 10 brands accumulated over 42,000 domains and subdomains as per the data sample prepared by WhoisXML API, a domain research, WHOIS, DNS, and threat intelligence API and data provider. These domains were added from 1 July to 3 August 2021, roughly at least 12,000 domains and 30,000 subdomains, added within a span of only four weeks. A more detailed breakup for the numbers of each brand is shown in the chart below.

Q2 2021 Top 10 Most Impersonated Brands in Domains 7

Although Microsoft is the most impersonated brand, the chart clearly shows that Amazon has a much larger domain attack surface, compared to Microsoft. Amazon is used in close to 12,000 domains and subdomains, compared to Microsoft at roughly 1,000 domains and subdomains. Some examples of the domains and subdomains are shown in the image below:

Q2 2021 Top 10 Most Impersonated Brands in Domains 8

How many of these domains and subdomains are publicly attributable to the brands they contain?

Highly skilled & well-funded: The new booming threat in cybercrime |  2021-03-01 | Security Magazine

For the discovered 42,000 domains and subdomains, some of them are likely owned by the brand’s owners, whereas most of them are spoof domains. WhoisXML API did some investigation by checking the registrant email addresses of the brands’ official domains from WHOIS Search and WHOIS History Search. The email addresses were then compared to the WHOIS records of these 42,000 domains through Bulk WHOIS Lookup.

60% of these domains return a result, and the rest could not be verified probably due to them already dropped by the owner. Of these domains that return a result, only 24 domains or 0.09% of the 42,000 domains use the same official registrant email addresses as the brands’ official domains. Hence, the investigation’s conclusion is that 99.91% of these 42,000 domains are spoof and cannot be publicly attributed to the brands and could have been registered and managed by other entities, including cybercriminals.

What is the distribution of the top-level domain (TLD) among these domains?

WhoisXML API also found something interesting when analysing the TLD distribution of these 42,000 domains. It found out that for these 10 most imitated brands, 35% of them falls under the .com space, while the rest are distributed across 209 other TLDs, including country-code TLDs. The top 10 TLDs are shown below:

Q2 2021 Top 10 Most Impersonated Brands in Domains 9

How malicious are these domains?

Expired Domains Leading Users to Malicious Websites

WhoisXML API also did some further investigation to check the malicious status of these domains. It took 30% of the samples and ran threat analysis on these domains to see if they have been reported as malicious. Disturbingly enough, 68% of these samples which were analysed for threats are listed on blocklist sites, such as VirusTotal and Google Safe Browsing. These domains are usually only 1 to 2 months old at the time of writing, and have already been reported as malicious.

Conclusion

Q2 2021 Top 10 Most Impersonated Brands in Domains 10

In summary, the top 10 most impersonated brands in Q2 2021 have been linked to around 42,000 of spoof domains and subdomains. These domains were added in just a short 4 weeks only, and almost all of them cannot be publicly attributed to the brands they contain. To make things worse, 30% of the samples used to perform threat analysis are malicious. This study shows the severity of domain spoofing is not to be taken lightly, and that a large domain attack surface is very real and pose significant threats. WebNIC would like to ask you to make sure to take cybersecurity seriously for your business or your customers’ business. As a starter, you may check out our Sectigo Web service, a modern all-in-one and comprehensive web security service.

About WebNIC

Q2 2021 Top 10 Most Impersonated Brands in Domains 11

WebNIC operates a digital reseller platform covering primarily domain name registration for over 800 TLDs, web security services, email and cloud services. With offices in Singapore, Kuala Lumpur, Beijing, Taipei and Jakarta, we serve 5,000 active resellers in over 70 countries. With over 20 years’ experience, we accelerate our partner’s growth through a robust platform, attentive support and wholesale pricing. To join us and become a reseller, live chat with us or email us at [email protected].

DigiCert Smart Seal - The Brand New Dynamic Site Seal 12

DigiCert Smart Seal – The Brand New Dynamic Site Seal

Introducing DigiCert Smart Seal, a brand new dynamic SSL secure site seal

A brand new member to the SSL site seal family is now available from DigiCert, one of the most trusted names in the SSL industry. The SSL site seal has been around for some time, and DigiCert is making great strides to redefine it in this whole new modern era of digital landscape. Hence, just a few months ago they launched the DigiCert Smart Seal, a brand new dynamic SSL secure site seal. In case you are not sure what is this, click here to read more about SSL certificate site seal indicator and its importance.

What is DigiCert Smart Seal?

DigiCert Smart Seal is a modern approach to the traditional SSL secure site seal. It is more than just a seal in which it incorporates real-time security indicators with users’ microinteractions, giving them extra confidence and empowering their trust when they browse a site. The powerful feature of a DigiCert Smart Seal is that it is able to dynamically display identity and PCI status with an industry-first verified logos and other modern features, which is not found in any other SSL site seals.

What is different in DigiCert Smart Seal?

Conventional SSL secure site seal for most of the time, has been just static images, which can be easily duplicated to deceive users. However, DigiCert Smart Seal is different. It is just like any SSL secure site seals, but smarter and improved.

It is designed to be seen and understood easily, while at the same time difficult to duplicate, which prevents spoofing, fraud and misuse by any ill-intentioned parties. Now, it is much more eye-catching with vivid animations, making it smarter and improved for today’s Internet landscape. The Internet is very different from what it was 20 years ago, and DigiCert has taken this into account when designing it. Now, it all changes with DigiCert Smart Seal!

How does DigiCert Smart Seal work?

Visual cues are now extremely important to help users reach their decisions, especially in this modern digital age of short attention span! So, how does DigiCert Smart Seal work and take this into account? The answer is eye-catching and vivid animations that are hard to create without using the right method to install the seal!

When users roll over it, they see a company’s logo that has been verified by DigiCert, presented in smooth animations while also displaying useful information about the site’s security. The information is delivered right to the seal real-time, and users can click on it to display more useful verification information without leaving to verify the legitimacy of the site.

Here’s some snapshots of how a DigiCert Smart Seal works:

In addition, when the seal is clicked, it will produce a splash page with details including: Company name, address/location, date issued, level of encryption, verified customer since (date), CT logs used, blocklist check, vulnerability scanned, PCI compliance scan. Check out our example splash page below: