Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

LinkedIn Allowed TLS Certificate to Expire—Again

Microsoft-owned social media giant LinkedIn has once again put user data and privacy at risk by allowing a TLS certificate to expire.

Microsoft-owned social media giant LinkedIn has once again put user data and privacy at risk by allowing a TLS certificate to expire.

Some users noticed on Tuesday that when they tried to access LinkedIn from their desktop or laptop computer they were greeted by an alert that said the connection was not secure. It turned out that the company had forgotten to renew the TLS certificate for its lnkd.in URL shortener.

The company quickly took action after being notified. The new certificate is valid until May 2021.

Expired LinkedIn certificate

This is the second time this has happened. In November 2017, LinkedIn forgot to renew a certificate for country-specific domains, such as uk.linkedin.com and de.linkedin.com.

“Large organisations with hundreds of millions of users globally should be setting the standard for security practices and unfortunately this is the second time that LinkedIn failed to update their SSL certificate, effectively putting user data and privacy at risk,” Carl Leonard, principal security analyst at Forcepoint and one of the individuals who reported the incident to LinkedIn, told SecurityWeek.

“Although this expired certificate only appeared to affect desktop users of LinkedIn, users had to rely on their browsers to alert them to the risks associated with the site. In some cases this may have led to confusion or encourage users to override error messages without understanding the security implications,” Leonard said.

“It isn’t enough for organisations to be reactive,” the expert added. “They should proactively ensure that are consistently implementing cybersecurity practices which act to protect sensitive information from being intercepted or exposed, whilst preserving the user experience. Humans will always make mistakes and have lapses in judgement and it is the role of the appropriate technology to address these issues to ultimately keep data safe.”

UPDATE. LinkedIn told SecurityWeek that it had a brief delay in its SSL certification update. The company said the issue was quickly fixed and user data was not affected.

Related: TLS Certificates for Many .gov Domains Not Renewed Due to Government Shutdown

Related: LinkedIn Responds to Criticism of its SSL Implementation

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.