Data protection

SSL certificate of a subdomain with an untrusted root certificate

Risk Level

Hazardous (3)

Platform(s)
  • N/A

Compliance Frameworks

Description

The certificate for {Subdomain.Name} is signed by an untrusted root certificate authority (CA). Certificates authenticate hostnames by a chain of trust, stemming from known, universally agreed upon, Certificate Authorities (CA). In the case of an untrusted CA, the validity of the certificate can not be validated. This means a user could not distinguish access to the correct website and a fake one and opens users of this website to the risk of an MITM attack
  • Recommended Mitigation

    Access the domain through a modern browser to see if the user is alerted on the certificate's status. Since root certificates can be manually added to browsers, review if the Root CA listed in the certificate is indeed universally recognized. Some public websites are aimed for internal use, by trusting members of the root authority and in those cases a universally trusted CA is not required (although is still considered a best practice). In case this website is intended for public use, be sure to create the certificate using a reputable source