Removed from my trust list.
Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle
Digicert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited. A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities (ICAs) had issued EV certs to customers despite not being …
COMMENTS
-
Friday 10th July 2020 01:16 GMT Snake
1000% UNACCEPTABLE
to place the deadline to depreciate such major components during the weekend.
Absolutely intolerable. Kill off broken security? A necessary evil. Place the deadline on a Saturday causing either forced overtime for mitigation, or simply causing fallovers for an entire weekend those that missed it?
Inexcusable.
I agree: with this DigiSign shows very little care, both in regard to the question of how such a thing could occur in the first place, and the mitigation of the damage. Kill the company off. With fire.
-
-
Friday 10th July 2020 10:19 GMT Roland6
Re: 1000% UNACCEPTABLE
True, however, from the quotes in the article, it would seem that Digicert have all the data, just that their audit reports were deficient (ie. they didn't actually do the job they were intended to do). Hence they could resolve the problem by simply running corrected audit reports on the data...
-
Friday 10th July 2020 16:04 GMT Kobe.T
Re: 1000% UNACCEPTABLE
Looking at the original posts on the MDSP, seems like the 35000-ish EV certs in question (not 50000) were in the population to be tested against the WebTrust for EV but the CA name of the CAs were dropped from the audit report. Is more of a clerical error rather than a real security risk as those certs are vetted based on the EV standards. The policy they need to adhere to casts the 5 day requirement to revoke which might be unreasonable for the subscribers.
-
-
-
Friday 10th July 2020 08:23 GMT Anonymous Coward
Re: 1000% UNACCEPTABLE
True, but they have t revoke in that time period. However it is a 15 minute job to change the certificate if they want to put a standard SSL cert in its place for now. Changing to another EV might take longer.
An issue could be if they have any processes that have been specifically told to trust the cert unique signature, but they'd be facing a problem with that every two years anyway.
-
-
Friday 10th July 2020 18:20 GMT Kobe.T
Re: 1000% UNACCEPTABLE
FWIW, for a small company, it might be simply replacing one or two certs used for their e-commerce site. Given the numbers of certs affected, there must be mid-large enterprises too. If that is the case, they would have the change management process to kick-in, testing, scheduling a maintenance window and whatnot. In some cases they might require to traveling to a datacenter. Probably not a good time to travel tho (as we all know). Whether 5 days is reasonable or not depends on who it is and what needs to be done.
-
-
Friday 10th July 2020 21:29 GMT joesomeone
Re: 1000% UNACCEPTABLE
A lot of big businesses moved quickly and with relative aplomb to switch to nearly 100% Work from Home for millions of employees across the world just a few months ago, often with only 1-2 weeks notice.
If that type of coordination can be mustered and executed across the entire enterprise, I think five days to swap out certificates are within the realm of possibility.
Plus, I would hope that those who deploy EV certificates read the fine print, fully understood what they were purchasing and put this into their Risk Assessment, before deploying EV certificates.
-
-
Friday 10th July 2020 01:51 GMT Anonymous Coward
Due diligence?
I feel for the users caught in this but I can understand the time frame which was put in place because of the prospect of false, malicious EV Certs.
Digicert, OTOH, I have no sympathy for. The company should be punished, severely, for failing to exercise due diligence in verifying ICAs in advance of their issuing any certificates, much less 50,000 of them.
-
Friday 10th July 2020 07:06 GMT katrinab
How many bank websites will go down this weekend?
At a look at the websites for the largest banks in the UK:
Natwest is fine, they use Commodo. As far as I can see, all other RBS Group companies use the same supplier
Nationwide is affected, they need to replace their certificate today
TSB is affected
Lloyds Banking Group (including Halifax and Bank of Scotland) are fine
HSBC is affected
Clydesdale Bank (+ Yorkshire Bank + Virgin Money + B) are affected
Santander uses Entrust, they are fine
Barclays and Barclaycard use Entrust, they are fine
Monzo uses Cloudflare, they are fine
Revolut don't have an EV certificate.
American Express are affected
So I'm guessing about 40% of the UK population could potentially be without money this weekend.
-
-
Friday 10th July 2020 11:18 GMT katrinab
In Safari, you can tell when you click on the padlock
On my self-hosted mail server, I see:
"Safari is used an encrypted connection to mail.mydomain
"Encryption with a digital certificate keeps information private as it's sent to or from the https website mail.mydonain"
On Nationwide, it starts the same as the above, then there is:
"Digicert Inc has idenfified www.nationwide.co.uk as being owned by Nationwide Building Society in Swindon, GB."
On Chrome, when you click on the padlock:
On my mail server, you see "Certificate (Valid)"
On Natonwide, you see
"Certificate (Valid)
"Issued to: Nationwide Building Society [GB]"
-
Friday 10th July 2020 12:16 GMT anothercynic
This is only (!) a problem if the banks correctly (and strictly) implemented app security, i.e. not only check whether the cert is not expired, but also *not revoked*. Many just check expiry on the basis that a cert would never be revoked (right? right???). I know, I sound snarky, but given how many developers do not check CRLs, many end users won't be any the wiser.
Browsers on the other hand... They have appropriately implemented it and will hopefully correctly check the CRL to make sure whether the certificate is revoked before continuing TLS.
-
Friday 10th July 2020 18:09 GMT joesomeone
Details matter....
I'm not sure your list of banks are entirely correct.
The ICAs that are being revoked (if you read the linked KB from the article) are -
DigiCert Global CA G2
GeoTrust TLS RSA CA G1
Secure Site CA
Thawte TLS RSA CA G1
Cybertrust Japan Secure Server ECC CA
DigiCert Global CA G3
GeoTrust TLS ECC CA G1
Thawte TLS ECC CA G1
NCC Group Secure Server CA G3
Aetna Inc. Secure CA2
DigiCert SHA2 High Assurance Server CA
NCC Group Secure Server CA G2
Plex Devices High Assurance CA2
TERENA SSL High Assurance CA 3
Looking at AMEX, I don't see their EV cert chained to any of these ICAs. Yes, they are chained to "DigiCert", but not one of these specific ones. And the cert for AMEX was issued back in February, so this isn't a mitigated certificate. Plus, the signing ICA isn't one of the replacement ICAs.
Same with HSBC, that's issued by the same ICA as AMEX, DigiCert SHA2 Extended Validation Server CA, which isn't listed on for execution tomorrow.
Same with Clydesdale Bank....
I haven't checked your whole list, but I wouldn't get entirely out of breath here.
-
Friday 10th July 2020 18:21 GMT Kobe.T
You have to look into crt.sh and see which issuing CAs are affected and see which EV certificates are issued from those since a single CA (as in a company) may have multiple issuing CAs (as in a digital certificate). Going to random sites is not the best way to do it. Just a suggestion. I'm guessing 40% of the U.K. population can withdraw money from the ATM rather than trying to pull cash out from the browser (Nevertheless, I do love the idea!).
-
-
Friday 10th July 2020 12:06 GMT bryces666
5 days, pull the other one!
Lots of shit going to get broken!
Every time I have to renew our EV certs it typically takes 1 to 2 months, due to need for them to direct phone us to a publicly listed number (not easily located to their satisfaction) , time zone problems and general incompetence of cert providers on dialing the correct numbers for international calls at the right time of day.
If I could do this in a 5 day time frame it would be a bloody miracle, and make me very happy, but then I'd probably be seeing airborne pigs as well.
-
-
Friday 10th July 2020 18:28 GMT joesomeone
Certificates are hard... to do properly
Certificates are a bitch and chore. If done properly, they're hidden within a HSM and given the second word of that name, those are no joke.
And the average website isn't going to acquire an EV certificate. Only companies that need/want the extra level of accreditation and protection that EV provides is going to take this route.
And part and parcel of that protection are audits like this and the nuke it from orbit response when something doesn't pass the sniff test.
Because all these things matter to shareholders.
-
-
Friday 10th July 2020 12:27 GMT Tonytuck
Something doesn't smell right...
If this was an audit snafu - should been an easy fix? An auditer letter or something? If the audit was really done correctly and it was an oversight in the '...audit report did not list the specific ICA' has to be a fix easier than revocing 50000 certificates on a weekend would have been used.
Something is wrong here, Mozilla need to look into it.
-
Friday 10th July 2020 12:44 GMT anothercynic
Re: Something doesn't smell right...
Unless the audit *wasn't* done correctly, in which case the only recourse to maintain trust *is* to revoke 50,000 certificates. The irony does not escape me.
Whether those 50,000 certificate owners will want to remain with that authority is another question.
-
-
-
Friday 10th July 2020 23:25 GMT Anonymous Coward
Re: Let's Encrypt
Lets Encrypt certs are great for encryption. The clue is in the name. However, the other major thing certificates are supposed to be used for is to provide trust. Major cert vendors such as Digicert do due diligence on the cert applicant such as checking the business is valid and who they say they are, checking contact details, registered business number such as ABN, etc.
This is why it can be a real ball ache getting a cert due to the hoops you have to jump through, especially for a wildcard or EV. It isn't a perfect system (and this case shows what can go wrong) but it is all we have at the moment. it gives you some measure of confidence that the organisation you are dealing with is who they say they are.
Lets Encrypt does not provide this. They are great for encrypting sites you already trust such as your own mail server, but do not provide trust in others due to the very limited org checks. All they do is domain ownership verification (or did last time I looked at them, maybe it has changed). If I went to a bank or shop website and found it was using a Lets Encrypt cert, I would quickly walk away.
-
Friday 10th July 2020 16:12 GMT Cynic_999
When security becomes onerous, it will be circumvented
After getting an "unsafe connection" popup a few times on perfectly secure sites that have suffered from this mass certificate revokation, I can see many people will be looking for ways to disable certificate checking. Or at least automatically click on "connect anyway" without further checks
So a great time for phishing sites to step up operations.
-
Friday 10th July 2020 18:37 GMT John Savard
Distressing
It is distressing, whatever the cause, that innocent customers will suffer an inconvenience through no fault of their own. Hopefully, they will not also suffer an out-of-pocket expense, in that they will instead recieve full refunds for the certificates they purchased since they will have to pay for the new ones. Given the need to update certificates over the weekend, and the lack of a genuine security risk, while there are rules to be followed, there should also have been a centreal authority able to issue a waiver of those rules to accomodate the situation.
-
Saturday 11th July 2020 23:00 GMT Claverhouse
Put Business-People In Charge Of Government !
If government or supra-government such as the EU screwed up like this all the usual anti-statist crowd would be frothing about how typical it is of bureaucracy and over-reaching state control. If a business does, no matter how vital it's services, such things are soon passed over.