From the “Don’t Let This Happen to You Department”
Instagram is a large image-sharing social network that reports 70 million photo uploads a day. For around an hour back on April 30, 2015, visitors and users found, instead of sepia-tone selfies and pictures of meals, warnings from their browser that the site was not trusted. This was because an expired SSL certificate, and was resolved in about an hour. Sure, it happens to the best of us (even Google let a certificate lapse recently) but no matter the size of your business, you can’t ever afford to lose the trust of your visitors – not even for an hour.
What Happened to Instagram?
Netcraft wrote about this Instagram SSL certificate expiration back in late April. Until fixed, users received warnings in their browser that the connection to the website was not secure. The big concern was that if visitors bypassed the warnings and continued to the site, they were left open to man-in-the-middle attacks. As Netcraft wrote:
Although the HTTP version of the site redirects to HTTPS, instagram.com does not currently make use of HTTP Strict Transport Security — an HTTP header that permits a site to specify that future visits must be over HTTPS. As a result, customers can bypass the warning message, placing them at risk of man-in-the-middle attacks.
If HSTS had been in use, visitors would correctly not be able to bypass the error message, protecting them from man-in-the-middle attacks, but leaving them without the ability to connect to instagram.com. As HSTS does not protect the user on their first visit, website owners can request to have their HSTS rules embedded into the browser via Chrome’s preload list.
HSTS is very useful (and Microsoft has now adopted it for use in Internet Explorer 11) but again, the easiest way to have prevented this issue would have been to not let the certificate expire in the first place.
How To Make Sure You’re Safe
If you’re given a warning by a web browser, you want to take it seriously. Clicking “okay” to bypass a warning can open yourself up to an attack. Before you say something like, “It was just Instagram. They don’t have my bank account information,” think about how many people use the same password for multiple sites no matter how much others don’t recommend the practice.
If a man-in-the-middle attacker who had his eyes and ears open had heard about the Instagram SSL certificate expiring AND was able to find a user bypassing the warning (and going to the website anyway) they would have been able to grab that user’s username and password to Instagram. Though a tremendous number of users ignore such warnings (to the point where Google has redesigned them to be as threatening as possible) it’s always a good idea to be on the lookout for possible problems that might crop up if you do decide to disregard the warning.
/. On Expired SSL Certificates
While they didn’t really take note of the April 30th SSL certificate outage on an Instagram server, they have talked about expiring SSL certificates in the past. Here’s some recommended reading.
- 2002 – Cert Slamming, or, Desperate Companies Behaving Badly
- 2004 – Verisign Certificate Expiration Causes Multiple Problems
- 2008 – Firefox SSL-Certificate Debate Rages On
- 2013 – Microsoft Azure Failure: SSL Certificates Were Updated… Sort Of
- 2014 – Sony Forgets To Pay For Domain, Hilarity Ensues
- 2015 – Google Let Root Certificate For Gmail Expire
So, yeah, it’s happened before and will likely happen again – but you really don’t want to have your site join that list above. Which brings us to our takeaway:
The SSL Takeaway
Take browser warnings seriously! They indicate potentially serious problems and should never be ignored – and if your visitors report warnings, check your certificate status immediately.
Also, stay on top of your certificate expiration dates! SSL.com customers can easily set reminders for upcoming certificate expirations right in their account!
Here at SSL.com, the team works day in and day out to make sure you have all the information you need to stay as safe as possible online. Take the time to come up with a plan to keep all your SSL certificates current so you don’t lose the trust of visitors to your website.