-
Notifications
You must be signed in to change notification settings - Fork 0
SSL Certificate Cannot Be Trusted
Fabien edited this page Apr 17, 2024
·
1 revision
This page discusses the security risks associated with SSL/TLS certificates that cannot be trusted. These issues arise when the SSL/TLS certificates used by websites or services are not issued by a trusted Certificate Authority (CA), are self-signed, or have expired, leading to potential security warnings and vulnerabilities.
- Severity: Medium to High
The use of untrusted SSL certificates can lead to various security risks, including:
- Man-in-the-Middle Attacks: Attackers can intercept and manipulate data if users bypass security warnings.
- Data Interception: Confidential information such as login credentials and personal data can be exposed and captured.
- Loss of Trust: Users may lose trust in a website or service that presents security warnings, potentially reducing traffic and business reputation.
SSL certificates may not be trusted due to several reasons:
- Certificate is self-signed: The certificate is not issued by a recognized Certificate Authority.
- Certificate has expired: The validity period of the certificate has ended.
- Chain of trust is broken: Intermediate or root certificates are missing, expired, or invalid.
- Certificate is issued to a different domain name: The name on the certificate does not match the domain it is used on.
Obtaining and Installing a Trusted SSL Certificate: To resolve issues with untrusted SSL certificates, obtain and install a certificate from a trusted Certificate Authority (CA).
- Choose a reputable Certificate Authority (CA): Consider CAs like Let's Encrypt (free), Comodo, DigiCert, GoDaddy, etc.
- Generate a Certificate Signing Request (CSR) in bash:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr- Submit the CSR to a CA: Follow the CA’s process for submitting a CSR and undergo the validation process required by the CA.
- Install the certificate on your server: Follow your server’s documentation for installing SSL certificates (Apache, Nginx, IIS, etc.).
- Configure your server to use HTTPS: Redirect all HTTP traffic to HTTPS to ensure secure connections.
- Test your SSL configuration: Use tools like SSL Labs' SSL Test to check your certificate status and configuration.
<VirtualHost *:80>
ServerName www.yourdomain.com
Redirect permanent / https://www.yourdomain.com/
</VirtualHost>openssl s_client -connect yourdomain.com:443- Home - Return to this main page.
- Explore detailed vulnerability categories and entries via the sidebar.
- Microsoft Teams < 1.6.0.11166 Information Disclosure↗
- Microsoft Teams < 1.6.0.18681 RCE↗
- Microsoft Windows Unquoted Service Path Enumeration↗
- Microsoft XML Parser (MSXML) and XML Core Services Unsupported↗
- Security Updates for Microsoft .NET Framework↗
- Security Updates for Microsoft Office Products C2R↗
- Security Updates for Microsoft SQL Server↗
- Windows Defender Antimalware/Antivirus Signature Definition Check↗
- Windows Speculative Execution Configuration Check↗
- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation↗
- SSL Certificate Cannot Be Trusted↗
- SSL Certificate Chain Contains RSA Keys Less Than 2048 bits↗
- SSL Certificate with Wrong Hostname↗
- SSL Medium Strength Cipher Suites Supported (SWEET32)↗
- SSL Self-Signed Certificate↗
- SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)↗
- TLS Version 1.0 Protocol Detection↗
- TLS Version 1.1 Protocol Deprecated↗
- Apache 2.4.x < 2.4.58 Multiple Vulnerabilities↗
- Apache Log4j Vulnerabilities↗
- Apache Solr Unauthenticated Access Information Disclosure↗
- Apache Struts Vulnerabilities↗
- Apache Tomcat Vulnerabilities↗
- Amazon Corretto Java 11.x < 11.0.19.7.1 Multiple Vulnerabilities↗
- OpenJDK Vulnerabilities↗
- Oracle Java SE Vulnerabilities↗
- 7-Zip < 23.00 Multiple Vulnerabilities↗
- Adobe Acrobat Vulnerabilities↗
- AMQP Cleartext Authentication↗
- Artifex Ghostscript < 10.2.1 DoS↗
- Chargen UDP Service Remote DoS↗
- Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)↗
- Echo Service Detection↗
- HSTS Missing From HTTPS Server (RFC 6797)↗
- HTTP TRACE / TRACK Methods Allowed↗
- Insecure Windows Service Permissions↗
- Keepass < 2.54 Information disclosure↗
- Notepad++ < 8.5.7 Multiple Buffer Overflow Vulnerabilities↗
- Quote of the Day (QOTD) Service Detection↗
- VMware Tools 10.3.x / 11.x / 12.x < 12.3.5 Token Bypass↗
- X Server Detection↗
- Template -> Use this template for new vulnerabilities