Shame there is no Open Source SSL you could use free of change. Woops there is "Let's Encrypt" project.
How a chunk of the web disappeared this week: GlobalSign's global HTTPS snafu explained
GlobalSign has performed a postmortem examination on how, as one of the world's root certificate authorities, it managed to break a chunk of the web. The New Hampshire, US-based biz has to date sold 2.5 million SSL/TLS certificates to websites around the world. This week, it inadvertently smashed its own chain of trust: it …
COMMENTS
-
-
Saturday 15th October 2016 20:35 GMT Crazy Operations Guy
Re: Let's Encrypt is not an alternative.
Identity certificates, Extended or Organization Verification certs, authentication certificates, code-signing, time-stamping, etc...
Let's encrypt really only does web server certificates that can, with some effort, be used to secure SMTP, FTP, and some other protocols, but there are a lot that you can't.
-
-
Sunday 16th October 2016 18:53 GMT Crazy Operations Guy
Re: Let's Encrypt is not an alternative.
"OV certificates are useless"
Functionally, no, but they are useful for knowing that the CA actually did at least some basic checking before issuing the cert. There are too many CAs that will just issue a standard certificate to anyone with an email address and a couple bucks to spend for a basic certificate.
-
-
-
-
Saturday 15th October 2016 15:55 GMT ElReg!comments!Pierre
Web-o-trust, smmeb'ol'thrust
Ages ago I chose to rely on self-signed certificates. Everyone was OK with it but then "web of trust" happened. The gormless mass rushed towards "verified", paid-for, "you get what you pay for" certifs.
Soon enough, the so-called "web-of-trust" revealed itself as the extortion scheme it always was, and ever since we hear stories about its hapless victims. And yet, they all gobble it up hook, line and sinker. again, and again, and again, pouring endless streams of money into a despicable extortion scheme despite ample evidence that it exposes them -and their customers- to pwnage rather than protecting them from it.
One born every minute, as the saying goes.
-
-
Sunday 16th October 2016 06:12 GMT Drew 11
Re: Web-o-trust, smmeb'ol'thrust
"Here's the thing about a self-signed certificate: how do I know that you issued it?"
See: DNSSEC+DANE
Bypasses all this CA rubbish - which is why the browser authors don't want to bake it into their browsers.
How about a "PPS:" in the actual article about that, to raise awareness?
-
Sunday 16th October 2016 08:04 GMT A Non e-mouse
Re: Web-o-trust, smmeb'ol'thrust
Here's the thing about a self-signed certificate: how do I know that you issued it? If I don't have a method of independent verification...
Because the CA's have such a good track record for diligently checking every certificate request and only issuing them to the correct people....
-
Monday 17th October 2016 09:49 GMT Anonymous Coward
Re: Web-o-trust, smmeb'ol'thrust
They could at least revoke dodgy ones - how do you revoke a self-signed certificate? Moreover anything protected by a self-signed certificate can be MITM at will, and the user would have little chances to understand unless they personally known the issuer so they can check.
Should the CA become more reliable and liable? Of course. But it would mean higher prices for certificates (proper vetting has costs), and it looks many here are not willingly to pay of safer certificates.
-
-
-
-
Saturday 15th October 2016 17:07 GMT Jack Douglas
How a chunk of the web disappeared — and some important stuff too
SSL isn't only for the web of course — some RDS client machines ended up unable to connect to their server. Clearing the caches was no help (I don't know why) but reissuing the cert and/or using the new intermediate did the job, after a reboot.
The most annoying thing was GlobalSign continuing to tweet marketing drivel in between updates about the crisis on their Twitter feed.
-
Saturday 15th October 2016 18:13 GMT Ken Hagan
Still slightly confused
The headlines (on this article and elsewhere) still seem to be describing it as GlobalSign's fault and yet the small print (in this article and elsewhere) still seems to be explaining that the certification revocation only broke stuff because one or more browsers interpreted it wrongly.
So are we saying that GlobalSign issued a duff revocation, or that they failed to test how their valid revocation might be invalidly acted upon by various browsers, or that GlobalSign basically did everything they could reasonably be expected to and the fault likes with some browser that remains anonymous because GS don't wish to incur their wrath, or are we saying something else entirely?
-
Sunday 16th October 2016 04:58 GMT Brian Miller
Re: Still slightly confused
It wasn't the browsers, it was the "third party security accredited load balanced OCSP responder system" that brought everything down.
So while the responder system was "secure," it just happened to have this one wee hole in it, owning to a problem with comparing dates.
-
-
-
-
Sunday 16th October 2016 10:31 GMT Lee D
Re: Still struggling with the concept of
Was about to comment the same thing.
Should cross-certs have the same public-key as any of the certs they are signing? That seems daft, to me.
It seems a not-unreasonable assumption to me that if you request revocation of a cert with a certain key, and a certain subject name, differing only in date, to then render that cert - and any that it signed - as invalid from the point of issuance of that cert.
Otherwise, what's the point of the revocation and cross-signing mechanism? If, say, the R1 cert WAS compromised and new intermediates signed against your will, isn't that EXACTLY what you would want to happen? Using the cross-signed R2 to revoke it AND its intermediates?
Seems to me to be blaming the software in use for a particular operation when that operation is quite within the scope of reasonable measures, even if it was unintentional or other software DOESN'T do that.
How about you be more careful when revoking certs, and issue cross-certs that aren't using the same public key? If R1 signs a cross-cert that signs R2, there's no need for any of those to use the same public key. If anything it defeats the point of the cross-cert if they share a public key, because they then also share a private key, which means that if that shared key is compromised SOMEONE ELSE can sign any cert they like.
Maybe I'm misinterpreting their PR, but it sounds like they skimped on the implementation, didn't test, and then tried to blame software that had a not-unreasonable, maybe even highly-desirable assumption in it.
-
-
Sunday 16th October 2016 07:26 GMT Hans 1
I bet the subcontractor company will not even have to pay a dime in repairs for damage done ... because the contract most likely has a big disclaimer ... never subcontract your core business to anybody, ever ! Makes sense ? Not to everybody ...
Congrats on taking down that large a chunk of the web, as well as other corporate services, was quite a feat!
-