Story image

LinkedIn’s outage blunder left users exposed and was ‘easily preventable’

01 Dec 2017

​If you were out to do a bit of business and employment-oriented networking yesterday, you may have come across an error message.

LinkedIn went down yesterday in countries across the world due to an SSL certificate expiry, which resulted in us.linkedin.com, uk.linkedin.com, ca.linkedin.com and many others becoming inaccessible to many.

What’s more concerning is those that were able to bypass the error message and login were in fact browsing with all of their data at risk as there was no encryption.

LinkedIn updated users on its ‘LinkedIn Help’ Twitter site:

And undoubtedly with no shortage of urgency, the social media giant assured its users shortly afterwards that the issue had been resolved.

Cybersecurity expert Alan Woodward says the outage will have far-reaching implications.

“Simply put, it will erode trust with visitors to your site,” says Woodward.

“For a site like LinkedIn that could matter a great deal when people come to trust them with more data, something LinkedIn is always encouraging you to do to – 'complete your profile'.”

Vice president for security strategy and threat intelligence at Venafi, Kevin Bocek says simply this shouldn’t have happened.

"You may have fired up LinkedIn yesterday afternoon, only to be greeted with a "CERT_DATE_INVALID" warning. You won't have been alone. LinkedIn's website was down across most of its main regions, including, the UK,  Australia and the US,” says Bocek.

“High-profile websites crash almost every week, but what's really jarring about LinkedIn's stumble is that it was entirely preventable".

Bocek says this all comes down to a certificate related issue.

“Certificates provide every machine - whether it's a website, application or device, with an online identity. Without them, machines can't trust each other when they communicate,” says Bocek.

“So when LinkedIn's certificate expired yesterday, every major browser simply stopped trusting it. For a global social network with millions of members, it won't be catastrophic. But what if the same thing happened to, say, a large retailer over Christmas?"

If there’s one thing to come out of this, Bocek says LinkedIn’s blunder demonstrates why keeping in control of certificates is so important.

“While LinkedIn will have thousands of certificates to keep track of, outages like yesterday's show that it only takes one expiry to cause problems,” Bocek says.

“To stay in control, organisations should look to automate the discovery, management and replacement of every single certificate on its network - or LinkedIn won't be the last high-profile snafu."

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.