In the fast-paced world of cybersecurity, even the most meticulous processes can encounter unexpected hurdles. Recently, DigiCert, a leading certificate authority, announced a significant move to mass-revoke SSL/TLS certificates due to a bug in their domain verification process. This issue impacts approximately 0.4% of domain validations conducted between August 2019 and June 2024. Here’s what you need to know.
The Issue at Hand
The root of the problem dates back to an update in August 2019. This update inadvertently omitted the required underscore prefix in CNAME-based domain validations. This might sound minor, but in the world of cybersecurity, small oversights can lead to significant risks. And this incident is considered security-critical due to the risk of unauthorised certificate issuance without the required underscore prefix in CNAME-based validations
The Discovery and Impact
DigiCert's investigative efforts revealed that 83,267 certificates, impacting 6,807 subscribers, were affected by this oversight. While some customers have been proactive in reissuing their certificates, others, especially those managing critical infrastructure like telecommunications networks and healthcare services, face potential disruptions if certificates are revoked too hastily.
Immediate Actions Required
For those impacted, DigiCert has set a strict 24-hour window to reissue certificates. If the process isn’t completed within this timeframe, affected websites and applications could experience a loss of connectivity, which could be disastrous for businesses relying on uninterrupted online presence. This revocation timeline is far from ideal for many customers, particularly given the holiday season. It highlights the urgent need to consider more modern and flexible validation methods. One suggestion is to enhance the validation process by involving multiple validators, adding an extra layer of security and oversight. This approach would also ensure that if someone is out of the office during such an event, there is a backup in place to prevent company websites from going offline.
Balancing Security and Practicality
The Chrome Root Program, which oversees compliance with CA/Browser Forum Baseline Requirements, emphasised that while exceptions for delayed revocations are beyond their purview, a balance between maintaining security and considering ecosystem impacts is crucial. DigiCert is actively seeking guidance on whether exceptional circumstances might warrant delayed revocations, particularly for entities where immediate action could lead to critical service interruptions.
Ongoing Challenges
The situation is further complicated by confusion over the internal list of impacted certificates. Some certificates validated through mixed methods—some with underscores and others without—have led to overboard revocation notices and significant customer outreach efforts.
DigiCert’s Commitment
DigiCert remains committed to compliance and transparency. They are preparing a detailed incident report and have already begun the revocation process within the mandated 24-hour window. Despite the challenges, DigiCert is working closely with customers and legal teams to mitigate disruptions and ensure adherence to security standards.
A Broader Industry Shift: Google's Announcement
Adding to the dynamic landscape of digital certificates, Google recently announced that its Chrome browser will stop trusting TLS certificates issued by Entrust starting November 1, 2024. This decision, driven by what Google describes as "a pattern of concerning behaviours" by Entrust, will affect many websites, including those of 21% of Fortune 1000 companies, such as banks and e-commerce sites. The move underscores the importance of maintaining stringent security practices and the potential repercussions of failing to do so.
Conclusion
As DigiCert navigates this complex issue, the overarching goal remains clear: safeguarding the integrity of digital communications while minimising disruptions for their customers. It’s a delicate balance, but one that underscores the importance of vigilance and adaptability in the ever-evolving landscape of cybersecurity.
For affected customers, immediate action is crucial. Log in to your DigiCert CertCentral account, generate a new Certificate Signing Request (CSR), and follow the steps to reissue your certificates. Failure to do so within the 24-hour window could result in significant connectivity issues, underscoring the critical nature of this situation.
Stay tuned for further updates as DigiCert continues to address this issue with the urgency and thoroughness it demands.