Here’s a bit of cybersecurity trivia for you: the world’s top 1 million websites use over 2 million SSL certificates. These certificates create a sense of trust—after all, don’t you feel safer when you visit a website with a little lock in the URL bar?
However, just because you see that a site has an SSL certificate doesn’t mean that it’s being managed properly. According to Keyfactor’s 2024 PKI & Digital Trust Report, 37% of companies have experienced a certificate-related outage. Because SSL certificates are commonly used on websites and other customer-facing digital properties, their (mis)management directly impacts the customer experience.
This all makes SSL management high-stakes for businesses and security professionals!
Outages can stem from various attacks, including an SSL renegotiation attack. An SSL renegotiation attack can be especially troubling because it exploits a vulnerability in the protocol. We’ll explore what an SSL renegotiation attack is and how certificate automation plays a role in preventing it.
SSL Renegotiation
To understand what an SSL renegotiation attack is, let’s first talk about the SSL/TLS protocol. TLS v1.0 and later has a feature that allows a connection to be renegotiated during an active session. Renegotiation could take place while requiring client authentication after the initial connection or changing encryption parameters mid-session.
Renegotiation is a legitimate feature. There are good reasons why a connection would need renegotiation. That being said, renegotiation needs safeguards to ensure attackers don’t exploit it.
How Attackers Exploit Renegotiation
There are two ways to exploit renegotiation:
- Man in the Middle (MitM)
- Denial of Service (DoS)
# 1 – Man in the Middle
The first method involves a man-in-the-middle hacker injecting malicious data into an SSL session during renegotiation. Here’s what that looks like:
Alice sends a ClientHello to Bob to initiate a connection, but Mallory—an attacker—can intercept the request.
Mallory sends her own ClientHello request to Bob and creates a secure connection. Mallory then initiates a renegotiation request, but when Bob initiates a new handshake, Mallory transmits malicious plain-text, which Bob puts into his buffer—his to-do bin—until the handshake process is complete.
Mallory then forwards Alice’s initial ClientHello message to Bob, who establishes a secure connection. Bob processes Alice’s message, but he also processes the messages sent by Mallory during the handshake.
# 2 – Denial of Service
The second method involves the attacker sending multiple renegotiation requests to the server, known as denial of service (DoS).
Each request initiates a new SSL handshake, which drains the server’s resources because all other requests are put into a buffer until the handshake is complete. The server becomes overwhelmed and unable to connect with legitimate users.
There are a variety of reasons attackers carry out DoS attacks. Organized cybercriminals will carry out this kind of attack for a fee. In other cases, political hacktivists will attack servers of organizations or companies because they support certain causes.
How to Prevent an SSL Renegotiation Attack
Here’s one thing you must remember: SSL renegotiation attacks aren’t inevitable! A clear sign of an attempted SSL renegotiation attack is odd certificate usage patterns, such as repeated renegotiation attempts. When a user is trying to renegotiate an SSL session over and over again, there’s a high likelihood someone’s trying to perpetrate an SSL renegotiation attack. Your certificate solution can work with other security tools in your toolkit to maximize your protection. APIs and automation features within your certificate solution can integrate with tools such as firewalls, intrusion detection systems (IDS), and security information and event management (SIEM) solutions.
Automate Certificate Renewal
The existence of so many SSL certificates makes manual management impossible. SSL certificate automation simplifies and streamlines the renewal process.
Automation means that systems use the most up-to-date cryptographic standards, so there’s no concern attackers can exploit vulnerabilities in older systems. Furthermore, certificate automation makes it easier to identify and revoke a compromised certificate.
Ways to Stop SSL Renegotiation Attacks
You can take steps to stop SSL renegotiation attacks in their tracks, although there are some considerations you have to keep in mind.
Disabling Renegotiation
You could disable renegotiation, which would prevent hackers from launching attacks that exploit that vulnerability. That being said, disabling renegotiation is a more drastic option. It makes more sense to enable renegotiation for low-risk servers with benign traffic. However, high-risk servers require stricter controls.
Enabling Server-Side-Only Renegotiation Requests
Another way to prevent SSL renegotiation attacks is to enable server-side-only renegotiation requests. However, hackers can trick the server into initiating a request for you, so this isn’t a foolproof method.
Secure Renegotiation
Implementing secure renegotiation binds the original requests with any renegotiation requests via a cryptographic process. For this to work, both the client and the server must be configured to support this feature.
Configuring Rate Limits for Renegotiation Attempts
You can also set a rate limit for how many renegotiation attempts are allowed to take place. Whenever there are too many renegotiation attempts, the security information and event management (SIEM) system kicks in and triggers a security alert or automatically terminates the connection.
Managing Certificates to Prevent SSL Renegotiation Attacks
Keeping your certificates organized is one of the most important methods to stop SSL renegotiation attacks. There are a few methods to do this. We’ll look at two of them: open-source tools and manual processes, and the pros and cons of both.
Open-Source Tools
There are a variety of open-source tools on the market that help you identify SSL certificates that will soon expire.
The Pros: The benefit of using open-source tools is that they have either no or low upfront costs.
The Cons: There are some notable drawbacks to using open-source tools.
While you might not have to invest in an open-source tool when you first implement it, there are other costs down the line. Your team will need to manage those tools, and they might not get tech support for those tools when they need it.
Manual Processes
Your teams would manually track down certificates about to expire.
The Pros: You’re saving money by not investing in software.
The Cons: The money you’ve saved by not investing in software will be eaten up by how much time your team will spend on this activity.
Also, no matter how many people you put on this task, there’s no way they will find all the certificates due to expire. If they miss one, your organization could be at risk.
Best Practices: A Centralized Certificate Management Solution
Centralizing certificate management within a single automated platform solves the pain points the other solutions present. This solution uses fewer resources and requires less of an investment in time than open-source solutions or manual processes.
Centralized certificate management gives you a real-time view of all certificates across the organization, even the undocumented ones. That single-pane-of-glass visibility saves you time and effort, so your team can spend more time working on what matters most.
In addition, centralized platforms can help you implement certificate automation. Automating the lifecycle management of SSL certificates minimizes issues such as expired and undocumented certificates. It’s also simpler and faster to revoke certificates with a centralized platform, too, so you can strengthen your security posture and maintain connectivity.
Lay the Foundation for Certificate Automation with Keyfactor
You can protect yourself from SSL renegotiation attacks by ensuring your SSL certificates are up to date. Automating the certificate lifecycle allows you to quickly and easily identify SSL certificates that put you at risk. Find out how Keyfactor can help–watch our demo now.
