Had a bad weekend? Probably, if you're a Sectigo customer, after root cert expires and online chaos ensues

Web sites and services tied to older versions of OpenSSL and GnuTLS have been dropping like flies

On Saturday, at 10:48 UTC, Sectigo's AddTrust legacy root certificate expired, causing a bit of weekend havoc for thousands of websites and services that rely on it for making a secure TLS/SSL connection.

"Generally speaking, this is affecting older, non-browser clients (notably OpenSSL 1.0.x) which talk to TLS servers which serve a Sectigo certificate chain ending in the expired certificate," wrote Andrew Ayer, founder of SSLMate, in a blog post.

When connecting to a TLS server, the server sends a certificate to the client to establish its identity, and an intermediate certificate that links the server cert to a trusted root certificate. This forms a chain of trust. When that chain breaks – because a certificate is invalid or missing – errors occur.

After the AddTrust External CA Root and the USERTrust RSA CA intermediate certificate expired, applications like Red Hat Enterprise Linux 7, Roku's streaming media service, and Algolia, started having problems.

Users of the RoboForm password manager found they could not connect to the RoboForm server.

Some apps, like website monitoring app Oh Dear, warned users ahead of time so they could remove the expiring certificate before things broke.

Illustration of a software bug under a magnifying glass

GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps


Ayer's SSLMate also managed just fine. "I saw this coming over a year ago, and configured SSLMate to start providing a chain without AddTrust External CA Root," he wrote, in what we imagine was a slightly smug tone.

Ayer has been compiling a list of affected applications and services on Twitter.

The damage as measured in time seems to be not more than a few hours. Heroku was down for about 70 minutes fixing things up. Turnitin reported downtime of about 2.5 hours.

Modern browsers should not be affected because they're designed to use the SHA-2 root (COMODO or USERTrust) as an alternative trust chain. But applications that rely on older versions of OpenSSL and GnuTLS weren't designed to deal with bad certs.

"Lots of embedded software doesn’t handle this," said Ryan Sleevi, a Google software engineer, via Twitter. "OpenSSL was, and is, fundamentally shit at verifying 'real' certificates. It has a long history of not coping with the Internet, and only really handling toy/enterprise-specific CAs that are linear. But even then, not very well."

El Reg readers report that UK-based cert biz Trustico and US-based SSLS.com have been issuing certificates that are suddenly failing because they were issued without checking that all the certs in the chain of trust are valid.

The Register asked SSLS.com for comment, and we've not heard back.

University of California, Berkeley has posted a notification to systems administrators outlining potentially affected systems, such as Linux or macOS OpenLDAP clients.

Of particular concern, the university said, are systems and devices that haven't seen security updates since 2015, such as Apple Mac OS X 10.11 (El Capitan) or earlier, Apple iOS 9 or earlier, Google Android 5.0 or earlier, Microsoft Windows Vista & 7 (if the Update Root Certificates Feature has been disabled since before June 2010), Microsoft Windows XP (if an Automatic Root Update has not been received since before June 2010), Mozilla Firefox 35 or earlier, Oracle Java 8u50 or earlier, and embedded devices (e.g. copy machines) that have not installed a firmware update since before mid 2015.

"In a perfect world, all of your libraries would be up-to-date and you wouldn't be using clownish TLS implementations like GnuTLS," wrote Ayer. "But the world isn't perfect." ®

Broader topics

Other stories you might like

  • Travis CI exposes free-tier users' secrets – new claim
    API can be manipulated to reveal tokens in clear text log data

    Travis CI stands for "Continuous Integration" but might just as well represent "Consciously Insecure" if, as security researchers claim, the company's automation software exposes secrets by design.

    Aqua Security Software on Monday said its researchers had reported a data disclosure vulnerability with the Travis CI API. The response they said they received is that everything is working as intended.

    In a blog post security researchers Yakir Kadkoda, Ilay Goldman, Assaf Morag, and Ofek Itach said they had found tens of thousands of user tokens were accessible through the Travis CI API, which provides a way to fetch clear-text log files.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • Apple gets lawsuit over Meltdown and Spectre dismissed
    Judge finds security is not a central feature of iDevices

    A California District Court judge has dismissed a proposed class action complaint against Apple for allegedly selling iPhones and iPads containing Arm-based chips with known flaws.

    The lawsuit was initially filed on January 8, 2018, six days after The Register revealed the Intel CPU architecture vulnerabilities that would later come to be known as Meltdown and Spectre and would affect Arm and AMD chips, among others, to varying degrees.

    Amended in June, 2018 the complaint [PDF] charges that the Arm-based Apple processors in Cupertino's devices at the time suffered from a design defect that exposed sensitive data and that customers "paid more for their iDevices than they were worth because Apple knowingly omitted the defect."

    Continue reading

Biting the hand that feeds IT © 1998–2022