back to article Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle

Digicert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited. A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities (ICAs) had issued EV certs to customers despite not being …

  1. NetBlackOps

    Removed from my trust list.

  2. Snake Silver badge

    1000% UNACCEPTABLE

    to place the deadline to depreciate such major components during the weekend.

    Absolutely intolerable. Kill off broken security? A necessary evil. Place the deadline on a Saturday causing either forced overtime for mitigation, or simply causing fallovers for an entire weekend those that missed it?

    Inexcusable.

    I agree: with this DigiSign shows very little care, both in regard to the question of how such a thing could occur in the first place, and the mitigation of the damage. Kill the company off. With fire.

    1. tip pc Silver badge

      Re: 1000% UNACCEPTABLE

      The article explains, st the end, that the timing isn’t down to figicert, it’s following pre agreed rules.

      1. Roland6 Silver badge

        Re: 1000% UNACCEPTABLE

        True, however, from the quotes in the article, it would seem that Digicert have all the data, just that their audit reports were deficient (ie. they didn't actually do the job they were intended to do). Hence they could resolve the problem by simply running corrected audit reports on the data...

        1. Kobe.T

          Re: 1000% UNACCEPTABLE

          Looking at the original posts on the MDSP, seems like the 35000-ish EV certs in question (not 50000) were in the population to be tested against the WebTrust for EV but the CA name of the CAs were dropped from the audit report. Is more of a clerical error rather than a real security risk as those certs are vetted based on the EV standards. The policy they need to adhere to casts the 5 day requirement to revoke which might be unreasonable for the subscribers.

    2. Anonymous Coward
      Anonymous Coward

      Re: 1000% UNACCEPTABLE

      True, but they have t revoke in that time period. However it is a 15 minute job to change the certificate if they want to put a standard SSL cert in its place for now. Changing to another EV might take longer.

      An issue could be if they have any processes that have been specifically told to trust the cert unique signature, but they'd be facing a problem with that every two years anyway.

    3. iron Silver badge

      Re: 1000% UNACCEPTABLE

      You were given 5 work days to do the job. If you complete it on Friday you don't have to work Saturday.

      Would you prefer they announced it on say Wednesday meaning it must be done by Monday and only giving you 3 working days to complete?

      1. Kobe.T

        Re: 1000% UNACCEPTABLE

        FWIW, for a small company, it might be simply replacing one or two certs used for their e-commerce site. Given the numbers of certs affected, there must be mid-large enterprises too. If that is the case, they would have the change management process to kick-in, testing, scheduling a maintenance window and whatnot. In some cases they might require to traveling to a datacenter. Probably not a good time to travel tho (as we all know). Whether 5 days is reasonable or not depends on who it is and what needs to be done.

    4. zuckzuckgo Silver badge

      Re: 1000% UNACCEPTABLE

      If the standard allowed 7 days rather than 5 that would ensure that there was a work week to deal with the problem, no matter your culture or which day the notice went out.

      This is assuming the 5 days is a somewhat arbitrary number, which it may not be.

    5. joesomeone
      Boffin

      Re: 1000% UNACCEPTABLE

      A lot of big businesses moved quickly and with relative aplomb to switch to nearly 100% Work from Home for millions of employees across the world just a few months ago, often with only 1-2 weeks notice.

      If that type of coordination can be mustered and executed across the entire enterprise, I think five days to swap out certificates are within the realm of possibility.

      Plus, I would hope that those who deploy EV certificates read the fine print, fully understood what they were purchasing and put this into their Risk Assessment, before deploying EV certificates.

  3. Anonymous Coward
    FAIL

    Due diligence?

    I feel for the users caught in this but I can understand the time frame which was put in place because of the prospect of false, malicious EV Certs.

    Digicert, OTOH, I have no sympathy for. The company should be punished, severely, for failing to exercise due diligence in verifying ICAs in advance of their issuing any certificates, much less 50,000 of them.

    1. stiine Silver badge
      Facepalm

      Re: Due diligence?

      If, by punished, you mean having to re-issue 50k certs, well, that's why this article is here...

  4. Anonymous Coward
    Anonymous Coward

    "required" by CA/B

    As recent incidents have shown, CA/B is more than willing to give more time, if you're the anointed golden child.

  5. katrinab Silver badge
    Unhappy

    How many bank websites will go down this weekend?

    At a look at the websites for the largest banks in the UK:

    Natwest is fine, they use Commodo. As far as I can see, all other RBS Group companies use the same supplier

    Nationwide is affected, they need to replace their certificate today

    TSB is affected

    Lloyds Banking Group (including Halifax and Bank of Scotland) are fine

    HSBC is affected

    Clydesdale Bank (+ Yorkshire Bank + Virgin Money + B) are affected

    Santander uses Entrust, they are fine

    Barclays and Barclaycard use Entrust, they are fine

    Monzo uses Cloudflare, they are fine

    Revolut don't have an EV certificate.

    American Express are affected

    So I'm guessing about 40% of the UK population could potentially be without money this weekend.

    1. Steve Foster

      The certificates for Nationwide do not have any intermediate CAs, so should not be affected.

      I can't obviously identify whether it's EV or not (how does one tell these days?).

      1. Kientha

        If you click on the certificate details (click on the padlock) an EV certificate will say issued to: *Company name*

      2. katrinab Silver badge

        In Safari, you can tell when you click on the padlock

        On my self-hosted mail server, I see:

        "Safari is used an encrypted connection to mail.mydomain

        "Encryption with a digital certificate keeps information private as it's sent to or from the https website mail.mydonain"

        On Nationwide, it starts the same as the above, then there is:

        "Digicert Inc has idenfified www.nationwide.co.uk as being owned by Nationwide Building Society in Swindon, GB."

        On Chrome, when you click on the padlock:

        On my mail server, you see "Certificate (Valid)"

        On Natonwide, you see

        "Certificate (Valid)

        "Issued to: Nationwide Building Society [GB]"

    2. anothercynic Silver badge

      This is only (!) a problem if the banks correctly (and strictly) implemented app security, i.e. not only check whether the cert is not expired, but also *not revoked*. Many just check expiry on the basis that a cert would never be revoked (right? right???). I know, I sound snarky, but given how many developers do not check CRLs, many end users won't be any the wiser.

      Browsers on the other hand... They have appropriately implemented it and will hopefully correctly check the CRL to make sure whether the certificate is revoked before continuing TLS.

    3. iron Silver badge

      > How many bank websites will go down this weekend?

      ...

      > So I'm guessing about 40% of the UK population could potentially be without money this weekend.

      Why do you need a website to get money? I just use a cash machine.

      1. zuckzuckgo Silver badge

        But the cash machine's secure communications might rely on one of the dodgy certificates. Then again it might just ignore the revocation.

        1. Kobe.T

          Good point. There are ones that use it. Interesting thing is, they have no browser interfacing it yet use a cert that is built for WebPKI.

          1. Vincent Ballard

            I wouldn't be 100% sure that they're not running a fullscreen browser in kiosk mode.

    4. joesomeone
      Facepalm

      Details matter....

      I'm not sure your list of banks are entirely correct.

      The ICAs that are being revoked (if you read the linked KB from the article) are -

      DigiCert Global CA G2

      GeoTrust TLS RSA CA G1

      Secure Site CA

      Thawte TLS RSA CA G1

      Cybertrust Japan Secure Server ECC CA

      DigiCert Global CA G3

      GeoTrust TLS ECC CA G1

      Thawte TLS ECC CA G1

      NCC Group Secure Server CA G3

      Aetna Inc. Secure CA2

      DigiCert SHA2 High Assurance Server CA

      NCC Group Secure Server CA G2

      Plex Devices High Assurance CA2

      TERENA SSL High Assurance CA 3

      Looking at AMEX, I don't see their EV cert chained to any of these ICAs. Yes, they are chained to "DigiCert", but not one of these specific ones. And the cert for AMEX was issued back in February, so this isn't a mitigated certificate. Plus, the signing ICA isn't one of the replacement ICAs.

      Same with HSBC, that's issued by the same ICA as AMEX, DigiCert SHA2 Extended Validation Server CA, which isn't listed on for execution tomorrow.

      Same with Clydesdale Bank....

      I haven't checked your whole list, but I wouldn't get entirely out of breath here.

    5. Kobe.T

      You have to look into crt.sh and see which issuing CAs are affected and see which EV certificates are issued from those since a single CA (as in a company) may have multiple issuing CAs (as in a digital certificate). Going to random sites is not the best way to do it. Just a suggestion. I'm guessing 40% of the U.K. population can withdraw money from the ATM rather than trying to pull cash out from the browser (Nevertheless, I do love the idea!).

  6. bryces666

    5 days, pull the other one!

    Lots of shit going to get broken!

    Every time I have to renew our EV certs it typically takes 1 to 2 months, due to need for them to direct phone us to a publicly listed number (not easily located to their satisfaction) , time zone problems and general incompetence of cert providers on dialing the correct numbers for international calls at the right time of day.

    If I could do this in a 5 day time frame it would be a bloody miracle, and make me very happy, but then I'd probably be seeing airborne pigs as well.

  7. williamsth
    Joke

    And this is why you don't go for free certificate authorities. Oh. Wait...

  8. sitta_europea Silver badge

    How come the users of certificates let this certificate maintenance thing get so messy?

    1. joesomeone
      Boffin

      Certificates are hard... to do properly

      Certificates are a bitch and chore. If done properly, they're hidden within a HSM and given the second word of that name, those are no joke.

      And the average website isn't going to acquire an EV certificate. Only companies that need/want the extra level of accreditation and protection that EV provides is going to take this route.

      And part and parcel of that protection are audits like this and the nuke it from orbit response when something doesn't pass the sniff test.

      Because all these things matter to shareholders.

  9. Tonytuck

    Something doesn't smell right...

    If this was an audit snafu - should been an easy fix? An auditer letter or something? If the audit was really done correctly and it was an oversight in the '...audit report did not list the specific ICA' has to be a fix easier than revocing 50000 certificates on a weekend would have been used.

    Something is wrong here, Mozilla need to look into it.

    1. anothercynic Silver badge

      Re: Something doesn't smell right...

      Unless the audit *wasn't* done correctly, in which case the only recourse to maintain trust *is* to revoke 50,000 certificates. The irony does not escape me.

      Whether those 50,000 certificate owners will want to remain with that authority is another question.

      1. Tonytuck

        Re: Something doesn't smell right...

        Right, and if the audit wasn't done correctly...that should have a bigger impact and cover the rest of the operations, no? And they should be admitting that too, not just 'oops the auditors missed some names off a letter'.

  10. TeeCee Gold badge
    Facepalm

    "Although there is no security threat, the EV Guidelines require...

    Gosh! If I were in the firing line I'd be right, royally pissed off that I was getting the shaft purely because some box-ticking chair polisher's spreadsheet wasn't up to date.

  11. SJA

    Let's Encrypt

    Why do people still waste their money on useless EV certs when you have an automated way to get Let's Encrypt certs?

    1. Kobe.T

      Re: Let's Encrypt

      Let's Encrypt had an incident late Feb this year affecting 3,048,289 certificates... that is probably why. Free comes with a price. And on top of that, since it is free, no support to call.

      1. MatthewSt

        Re: Let's Encrypt

        Digicert EV certificates come with a $1.75m warranty, so it'll be interesting to see what kind of claims come out of this

    2. Anonymous Coward
      Anonymous Coward

      Re: Let's Encrypt

      Lets Encrypt certs are great for encryption. The clue is in the name. However, the other major thing certificates are supposed to be used for is to provide trust. Major cert vendors such as Digicert do due diligence on the cert applicant such as checking the business is valid and who they say they are, checking contact details, registered business number such as ABN, etc.

      This is why it can be a real ball ache getting a cert due to the hoops you have to jump through, especially for a wildcard or EV. It isn't a perfect system (and this case shows what can go wrong) but it is all we have at the moment. it gives you some measure of confidence that the organisation you are dealing with is who they say they are.

      Lets Encrypt does not provide this. They are great for encrypting sites you already trust such as your own mail server, but do not provide trust in others due to the very limited org checks. All they do is domain ownership verification (or did last time I looked at them, maybe it has changed). If I went to a bank or shop website and found it was using a Lets Encrypt cert, I would quickly walk away.

  12. Cynic_999

    When security becomes onerous, it will be circumvented

    After getting an "unsafe connection" popup a few times on perfectly secure sites that have suffered from this mass certificate revokation, I can see many people will be looking for ways to disable certificate checking. Or at least automatically click on "connect anyway" without further checks

    So a great time for phishing sites to step up operations.

  13. John Savard

    Distressing

    It is distressing, whatever the cause, that innocent customers will suffer an inconvenience through no fault of their own. Hopefully, they will not also suffer an out-of-pocket expense, in that they will instead recieve full refunds for the certificates they purchased since they will have to pay for the new ones. Given the need to update certificates over the weekend, and the lack of a genuine security risk, while there are rules to be followed, there should also have been a centreal authority able to issue a waiver of those rules to accomodate the situation.

  14. Claverhouse Silver badge
    WTF?

    Put Business-People In Charge Of Government !

    If government or supra-government such as the EU screwed up like this all the usual anti-statist crowd would be frothing about how typical it is of bureaucracy and over-reaching state control. If a business does, no matter how vital it's services, such things are soon passed over.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon