H3-2021-0026¶

Public Self-Signed Certificate

Description¶

The SSL/TLS certificate is self-signed.

Impact¶

Self-signed certificates should not be used for public user-facing web sites. A self-signed certificate causes browser security warnings to appear when a user browses to the web site using the certificate. These warnings erode user trust in the web site and create alert fatigue. Attackers can take advantage of this by launching man-in-the-middle attacks using a fraudulent certificate and trick users into divulging confidential information. If the web site uses HTTP Strict Transport Security (HSTS) and has a self-signed certificate, users won't be able to browse to it at all.

References¶

• Let's Encrypt
• Self-Signed Certificate
• HTTP Strict Transport Security
• CWE-295: Improper Certificate Validation