Certificate Signed With Weak Algorithm

Name in API: tlscert_weak_signature
Severity: Low
Factor: Network Security

Summary

Certificate Signed With Weak Algorithm tlscert_weak_signature refers to a TLS certificate using insecure signature algorithms, like SHA-1 or weak RSA keys, making it vulnerable to attacks. Updating to stronger algorithms ensures better security and integrity.

How Does It Work?

When a TLS certificate is issued, it is signed using a cryptographic hash algorithm (such as SHA-1, SHA-256, or SHA-512). Some older or weak algorithms, like MD5 and SHA-1, are no longer considered secure because they are vulnerable to collision attacks, allowing attackers to forge certificates. When a security scanner detects tlscert_weak_signature, it means the server's certificate was signed with a weak or outdated hash algorithm, which could compromise the security of encrypted communications.

Algorithms Currently flagged

• sha1_ds
• dsawithsha1
• sha1_ecdsa
• ecdsa-with-sha1
• md2withrsaencryption
• md5_rsa
• md2_rsa
• md5withrsaencryption
• sha1withrsaencryption
• shawithrsaencryption
• mdc2withrsa
• sha1_rsa
• sha1withrsa

Why Is It a Risk?

A weak signature algorithm in a TLS certificate, like SHA-1, is vulnerable to attacks such as collision or brute force, allowing attackers to forge certificates potentially. This compromises the security of encrypted communications, risking data interception or impersonation.

Self Evaluation

You may validate the presence/absence of the expired certificate on the endpoint by using the following 3rd Party tools. All can be used to confront contradictory results. However, when comparing results, ensure that the endpoint scanned by each is the same information and matches the SecurityScorecard finding.

website

sslscan

sslscan --weak example.com

Starting SSLScan 1.11.3 (https://github.com/rbsec/sslscan) ...

OpenSSL 1.1.1 11 Sep 2018

TLSv1.0: Supported
TLSv1.1: Supported
TLSv1.2: Supported
TLSv1.3: Supported

Certificate:
Issuer: Example CA
Subject: example.com
Expiry: 2025-01-01
Signature Algorithm: sha1WithRSAEncryption <-- Weak Signature Algorithm (SHA-1)
SHA1 Fingerprint: 12:34:56:78:90:AB:CD:EF:GH:IJ:KL:MN:OP:QR:ST
Serial Number: 1234567890
OCSP URL: http://ocsp.example.com
CRL URL: http://example.com/crl.pem

Cipher Suites Supported:
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

How to mitigate

Mitigate tlscert_weak_signature by replacing certificates using weak algorithms (e.g., SHA-1) with stronger signatures like SHA-256

• Update TLS with stronger cryptographic encryption.
• The certificate is issued with a trusted CA and is not private.
• Keep the renewal in automation to avoid any delay or lapse in billing.
• HTTPS everywhere is implemented.
• Configure the server with a strong cipher.

Remediation

1. The endpoint configuration has changed, the certificate used on the endpoint is not signed by one of the weak algorithms mentioned above.                                                                                     => Select the finding and then click on the "Fixed" button, "technical_remediation"

2. The endpoint has been closed and therefore the endpoint is unreachable (or serving a 400/404)
   => Select the finding and then click on the "Fixed" button, "technical_remediation".

3. After verification (using the methods above, for example), the endpoint defined in the finding does have a certificate updated and is contrary to what SecurityScorecard is stating.
   => Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue, and I think it’s incorrect," "false_positive".