SSL/TLS Server Certificate Not Trusted | Vulnissimo

medium Severity
Detected By: passive Mode
J

Jason McCarthy

Senior security researcher & penetration testing consultant

10+ years experience in the field

What is an untrusted SSL/TLS certificate?

SSL/TLS certificates are files that authenticate a website’s identity, allowing communication through HTTPS. The issue arises when web browsers do not trust these certificates because the server uses a self-signed certificate, a certificate from an untrusted authority, or a certificate that has expired or is invalid for other reasons. The lack of a trusted certificate makes it challenging for users to verify the authenticity of the server, undermining the security of the SSL/TLS connection.

Why is an untrusted SSL/TLS certificate a security risk?

The risk of an untrusted SSL/TLS certificate lies in the fact that an attacker could easily mount a man-in-the-middle attack. They can intercept SSL communication by presenting the user with a fake SSL certificate, thereby gaining access to sensitive information such as login credentials or private data.

How to configure a trusted SSL certificate

To address this issue, configure a trusted SSL/TLS certificate for the web server. Obtain the certificate from a reputable Certificate Authority and ensure proper installation. Consult specific guides for configuration:

How to detect an untrusted SSL/TLS certificate

An untrusted SSL/TLS certificate can be detected through several methods, such as browser warnings, command-line tools, and automated scanning tools.

This Python snippet connects to a server using SSL/TLS, retrieves its certificate, and checks its validity, including expiration status:

import ssl
import socket
from datetime import datetime

hostname = ''
port = 443
context = ssl.create_default_context()

with socket.create_connection((hostname, port)) as sock:
    with context.wrap_socket(sock, server_hostname=hostname) as ssock:
        cert = ssock.getpeercert()
        print('Certificate Issuer:', cert.get('issuer'))
        print('Valid From:', cert.get('notBefore'))
        print('Valid To:', cert.get('notAfter'))
        # Check expiration
        expiration_date = datetime.strptime(cert.get('notAfter'), '%b %d %H:%M:%S %Y %Z')
        if expiration_date < datetime.now():
            print('Warning: Certificate has expired!')
        else:
            print('Certificate is valid.')

Note: This script is for educational purposes only. Always ensure you have permission before scanning or testing websites you don’t own or operate.