Yesterday large parts of the world were without their LinkedIn accounts due to an SSL certificate expiry. For much of the afternoon us.linkedin.com, uk.linkedin.com, ca.linkedin.com and many others were inaccessible to some account holders and those that were able to login were browsing without encryption, meaning all of their data was potentially at risk.
Security researcher Alan Woodward from the University of Surrey was quoted in The Register as saying,"Simply put, it will erode trust with visitors to your site. For a site like LinkedIn that could matter a great deal when people come to trust them with more data, something LinkedIn is always encouraging you to do to – 'complete your profile'.”
Kevin Bocek, VP security strategy and threat intelligence, Venafi commented in an email to SC Media UK: “High-profile websites crash almost every week, but what's really jarring about LinkedIn's stumble is that it was entirely preventable.
"This all comes down to a certificate-related issue. Certificates provide every machine - whether it's a website, application or device, with an online identity. Without them, machines can't trust each other when they communicate. So when LinkedIn's certificate expired yesterday, every major browser simply stopped trusting it. For a global social network with millions of members, it won't be catastrophic. But what if the same thing happened to, say, a large retailer over Christmas?
"LinkedIn's blunder demonstrates why keeping in control of certificates is so important. While LinkedIn will have thousands of certificates to keep track of, outages like yesterday's show that it only takes one expiry to cause problems. To stay in control, organisations should look to automate the discovery, management and replacement of every single certificate on its network."
Kami Vaniea, a cyber-security and privacy researcher at the University of Edinburgh, was reported in the press as saying that a large percentage of users who have been to a website before will click through warnings and therefore will not realise the risk they are in by using these types of websites.