On August 19, 2020, the popular music streaming platform, Spotify, appeared to go offline for around an hour—frustrating listeners who were attempting to connect to the service. The outage appears to have occurred during business hours for most of Europe, but it was still very early in the morning for users in North America—potentially reducing the severity of the impact. Spotify was quick to release a brief statement on Twitter acknowledging the outage and was able to resolve the issue approximately an hour later.
The cause of the outage, as some eagle-eyed observers noted, appears to have been an expired TLS certificate, although a formal root cause analysis from Spotify is still awaited.
Using the ThousandEyes platform, we noticed that the TLS certificate for a Spotify subdomain wg.spotify.com became valid today—indicating that Spotify did, in fact, make an update to their TLS certificate this morning. While any outage has the potential to impact brand perception and even revenue, customer-impacting outages caused by an expired TLS certificate are especially painful—because they’re easily preventable. This brief outage is yet another reminder why enterprises must prioritize monitoring their TLS certificates. In this blog post, we focus on SSL monitoring to detect and alert on common TLS certificate issues that can impact web performance.
Certificate Chain Basics
The SSL/TLS handshake between the client and server involves the exchange of the following: TLS version, cipher suites, certificate exchange to establish server identity and generating session keys for data encryption.
Web servers that provide content through HTTPS URLs must use an SSL server certificate in order to demonstrate to the client that the server is the legitimate provider of the content at the requested URL. SSL server certificates are issued by certification authorities (CAs) using the CA's own certificates, and they use a cryptographic technique called a digital signature. Each SSL server certificate is digitally signed by the CA.
SSL server certificates (also known as leaf certificates) are issued by public certification authorities (such as DigiCert, Comodo, or Let's Encrypt) and are typically signed by intermediate certificates, which may themselves be issued and signed by other intermediate certificates belonging to the CA. At the end of a chain of certificates is a root certificate (also called a root CA certificate). The root certificate is signed by the CA itself. The signatures of all certificates in the chain must be verified up to the Root CA Certificate.
Importance of Monitoring for Certificate Expiration
Regardless of whether you own the critical applications that your customers or employees rely on, or you depend heavily on SaaS services for productivity, the network and corporate IT team is responsible for service availability and delivery at all times. This makes monitoring for certificate validity crucial. If you are an enterprise providing a web service, then being able to detect expiring certificates ahead of time and take the necessary action will help protect from service disruption and brand damage. This can be less straightforward when it comes to the SaaS services you rely on, however.
If your SaaS provider fails to renew a certificate, as we have seen in the past with a large collaboration provider, you will be glad that you are proactively monitoring and alerting for certificate expiry so that you can reach out to your providers ahead of time and get the issue resolved in a timely manner—significantly reducing war room times or avoiding it altogether.
Detecting and Alerting on Certificate Expiry
TLS certificates have typically been configured to be valid for a long period of time. As you can see in Figure 6 above, the root certificate is not set to expire until November 9, 2031. This often means that monitoring certificate expiry is not top of mind for the teams that are responsible for websites—so alerting is critical.
As TLS versions have iterated over time, there has always been a question around whether you’re trading off security for performance. In the interest of security, many vendors have been proposing a shorter certificate validity period at the CA/Browser Forum for a few years now. The primary motivation is that renewing TLS certificates within a shorter period allows for rolling in security updates quickly while also ensuring the regeneration of keys frequently for more website security. On September 1, Apple’s Safari browser will no longer trust TLS leaf certs with validity periods longer than 398 days—and it is a matter of time before other browsers follow suit. This is expected to create the need for more frequent monitoring of TLS certificates.
ThousandEyes allows you to proactively monitor TLS certificate expiry along with detecting weak cipher suites and missing certificates in the cert chain.
Monitoring for certificate expiry has never been more crucial for the consumption of web applications. As we see more browsers adopt certificates with shorter lifespans for greater security, we expect to see this come to the forefront of our customers’ monitoring strategy.