LinkedIn Admits a Delay in Renewing TLS Cert

Written by

LinkedIn users noticed on Tuesday that attempts to access the site from their desktop or laptop computer were met with an alert warning that the connection was not secure – the result of LinkedIn’s failure to renew the TLS certificate for its lnkd.in URL shortener, according to Computer Business Review (CBR).

It turned out that the company had what it is calling a brief delay in renewing the TLS certificate. The company quickly took action after being notified. “We had a brief delay in our SSL certificate update yesterday, which was quickly fixed, and member data was not affected,” a LinkedIn spokesperson wrote in an email. The new certificate is valid until May 2021.

Forcepoint security analyst, Carl Leonard tweeted:

If you are wondering why your browser is throwing a Certificate Error when navigating around @LinkedIn posts their cert expired a few hours ago on the URL shortener lnkd[.]in. Qualys' SSL check report for that domain: https://www.ssllabs.com/ssltest/analyze.html?d=lnkd.in …

Leonard and others noted that this is the second time that LinkedIn has allowed a certificate to expire. “Large organizations with hundreds of millions of users globally should be setting the standard for security practices and unfortunately this is the second time that LinkedIn failed to update their SSL certificate, effectively putting user data and privacy at risk,” Leondard reportedly told CBR.

"Certificates control communication and authentication between machines, so it's critically important not to let them expire unexpectedly. Unfortunately, most organizations don’t even have a clear understanding of how many certificates are in use or which devices are using them; so they definitely don't have a clear idea of when they will expire,” said Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.

“This lack of comprehensive visibility and intelligence routinely leads to certificate-related outages; this is not a unique occurrence. Ultimately, companies must get control of all of their certificates; otherwise, it’s only a matter of time until one expires unexpectedly and causes a debilitating outage."

What’s hot on Infosecurity Magazine?