EMA Report Finds nearly 80% of SSL/TLS Certificates are Vulnerable to Man in the Middle Attacks

EMA Report Finds nearly 80% of SSL/TLS Certificates are Vulnerable to Man in the Middle Attacks

AppViewX commissioned study also reveals that up to 25% of all certificates are expired at any given time; Google’s proposed 90-day certificate expiration proposal driving need for lifecycle management automation

AppViewX, a leader in automated machine identity management (MIM) and application infrastructure security, announced the results of a research study conducted by Enterprise Management Associates (EMA) on SSL/TLS Certificate Security. The survey found that nearly 80% of TLS certificates on the Internet are vulnerable to Man in the Middle (MiM) attacks, while as many as 25% of all certificates are expired at any given time.

.@AppViewX commissioned study by EMA finds nearly 80% of SSL/TLS certificates are vulnerable to man in the middle attacks and reveals that up to 25% of all certificates are expired at any given time

“We were surprised with the sheer volume of expired and self-signed certificates in circulation, and how many organizations are still not using TLS 1.2 and 1.3,” said Ken Buckler, CASP, Director of Information Security Research for EMA. “With Google’s proposed TLS certificate 90-day expiration mandate looming, it’s clear that the only path forward for IT administrators and security professionals is automated certificate management.”

Marketing Technology News: Mobivity Announces Executive Leadership Appointments as CEO Transitions

Survey Highlights

As part of the study sponsored by AppViewX, EMA gathered data from multiple sources for this research report, including Google Trends from 5/6/2018 to 4/30/2023, Stack Exchange from 1/1/2009 to 12/31/2022, and Shodan in May 2023 focused on servers with SSL/TLS certificates on port 443. Some of the report’s key findings include:

  • Only 21% of servers on the internet utilize TLS 1.3, meaning 79% of SSL certificates in use today are still subject to man-in-the-middle attacks
  • Up to 25% of certificates on the internet pose a security threat because are expired (10%) or self-signed (15%) which are not considered secure for publicly accessible websites or services
  • 45% of IP addresses exposed to Top 10 vulnerabilities also had expired certificates (22%) or self-signed certificates (23%)
  • The Generic Top-Level Domains (gTLDs) with the most expired certificates are:
    .org (15%)
    .com (12%)
    .mil (11%)

“With almost six million expired SSL/TLS certificates currently in use on the internet and almost nine million self-signed certificates, this survey quantifies that many organizations are failing to perform basic certificate management hygiene,” said Murali Palanisamy, Chief Solutions Officer at AppViewX. “The recent certificate expiration incidents at Cisco, Microsoft and StarLink demonstrate the importance of automating the management of digital identities to eliminate critical outages and ensure strong security and risk postures.”

Marketing Technology News: MarTech Interview with Mattia Santin, Chief Marketing Officer at Hotjar

Picture of Business Wire

Business Wire

For more than 50 years, Business Wire has been the global leader in press release distribution and regulatory disclosure.

You Might Also Like