back to article More than 83K certs from nearly 7K DigiCert customers must be swapped out now

As the DigiCert drama continues, we now have a better idea of the size and scope of the problem – with the organization's infosec boss admitting the SSL/TLS certificate revocation sweep will affect tens of thousands of its customers, some of which have warned that the short notice may have real-world safety implications and …

  1. Doctor Syntax Silver badge

    Given that the error has existed for 5 years, 24 hours seems a bit draconian. Surely this is an exceptional circumstance in its own right that should apply the the entire affected customer base.

    1. NoneSuch Silver badge
      Pint

      The strict rules are set by the CA/Browser Forum (CABF), the governing body establishing standards for Certificate Authorities (CAs) in issuing and managing SSL/TLS certificates. To obtain a certificate for a domain, a CA must verify the domain owner through methods like email or DNS record changes. If any error occurs during this domain validation process, the CABF mandates that the issued certificate be revoked within 24 hours to safeguard website security and maintain trust in SSL/TLS certificates.

      That isn't something Digicert came up with; it's the agreed standard for being a CA.

      1. david 12 Silver badge

        Entrust "Ensuring Trusted Identities"

        Digicert certainly (digitly certainly) saw what happened to Entrust, and doesn't want it to happen to them:

        "google axes entrust" https://www.theregister.com/2024/06/28/google_axes_entrust_over_six/

        Justification provided --they don't take the rules seriously enough--

    2. trindflo Silver badge

      I'm wondering how this worked before the 24-hour rule was imposed.

      Would businesses just continue using the compromised certificate until they were good and ready to deal with it and allow doppelganger sites to be run by hackers, public be damned?

  2. Anonymous Coward
    Anonymous Coward

    When you rely on a third party that has obligations to another party, you risk the chance of being thrown under the bus.

  3. Pascal Monett Silver badge

    "We will not be able to delay revocation beyond that date and time."

    Um, why ? You're the certificate authority, are you not ? It seems to me that you have the ability to do whatever with your certs, including having a bit of patience while thousands of admins and thousands more IT staff have their schedule thrown into the blender to satisfy you.

    1. Vincent Ballard

      Re: "We will not be able to delay revocation beyond that date and time."

      They're afraid that if they delay more than 24 hours, the browsers will implement official policy and remove their root certificates from the browsers' trusted list, causing all of their certificates (and not merely the 0.4% at issue) to become worthless for interactions involving anything other than wget/curl/equivalent.

    2. I could be a dog really Silver badge

      Re: "We will not be able to delay revocation beyond that date and time."

      They have a set of rules to follow - read the articles and other comments.

      The rules mandate that they MUST revoke "unsafe" certificates within 24 hours - so as it is, they are stretching the rules, for some customers, if the customer gives a strong enough justification. Why must they follow the rules ? Because if they don't, as in some of the other comments, the browser vendors will push out an update with that CA's root certificate removed - which spells near instant death for any site using certs from that CA, and as a result, probably not quite as instant death for the CA's business.

  4. Kevin McMurtrie Silver badge

    Cracked?

    I'm guessing it's 24 hours because the gangs that hang out on Cloudflare, AWS, and GCP have figured out how to take advantage of the bad certs.

    I don't know how much it's worth, though. Everybody's favorite credit union, Patelco, has an anonymous certificate from Let's Encrypt. Obviously lots of people don't check certificate ownership. That's fine as long as you spelled the domain name perfectly, nobody has hijacked the site's DNS, the domain name doesn't have an overdue bill, ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Cracked?

      This isn't the first time you've said this about Patelco and I'm really intrigued as to what on earth you mean by "an anonymous certificate".

      Care to elaborate?

      1. Benny Cemoli

        Re: Cracked?

        I would assume by "anonymous certificate" they mean one that is not domain validated. In other words, you go to Let's Encrypt enter your information and they issue a security certificate that can be used for your website

        1. Orv Silver badge

          Re: Cracked?

          You can't just enter data on a web page and get a cert from Let's Encrypt -- you need to at very least prove you control the web server on the host you're getting a certificate for.

    2. Irongut Silver badge

      Re: Cracked?

      RTFA

      24 hours is the period specified by the CA / Browser Forum who control security policy for web browsers. Mozilla, Google, MS, et al are repsonsible for this and it is good security practice.

      But no, you're not interested in the article or the facts just in pushing your own raving grudge against whoever Patelco is.

  5. Benny Cemoli

    What I would like to know is what penalties DigiCert is going to have imposed upon it for allowing these mis-validated certificates to be issued for the last five years. After all 83,267 certificates isn't a trivial thing. So will they be facing any penalty or will it just be a case of, "Oops, our bad. Won't happen again." and nothing else.Just wondering.

    1. david 12 Silver badge

      This -is- the penalty. You don't think hurting your customers and destroying your own business is a penalty? You'd perhaps feel different in other circumstances.

  6. Anonymous Coward
    Anonymous Coward

    Interestingly I logged into my work laptop this morning, and no VPN connection. Plus a text to say there's a "major incident" affecting remote access. I wonder if the two are connected to the subject of the article. I can't see in our locked down view what certs are involved, but in the message log it's been saying "No valid certificates available for authentication".

    As as I type, it's just connected.

  7. Anonymous Coward
    Anonymous Coward

    Our wider company had 400 certs to replace. Thankfully the ones we were responsible for were only around 20.

    We did manage to get an extension for 96 hours.

  8. Pope Popely

    Am I the only one who can't comprehend the claim "LiFeS DePeNd On iT!" coming from people who makes this a) dependent on 3rd party certificates and a clock and b) can't be arsed to implement the rules right?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like