Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle

You've got less than 42 hours to regenerate your certs


Digicert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited.

A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities (ICAs) had issued EV certs to customers despite not being included in DigiCert's WebTrust audits – which goes against the rules for EV certs. To remedy this, DigiCert said it will revoke every single EV cert issued by the ICAs in question – think CertCentral, Symantec, Thawte, and GeoTrust.

"To resolve the issue, we must migrate issuance to new ICAs and revoke all certificates issued under the impacted ICAs," Digicert told its customers in an email.

"Although there is no security threat, the EV Guidelines require that we revoke EV certificates signed by the affected ICAs by July 11, 2020 at 12pm MDT (July 11, 18:00 UTC)."

We understand the number of certs set to be pulled is somewhere in the range of 50,000. For those not in the know, computers and other devices are told, typically, by their operating systems to trust certificates issued by Digicert. Rather than handle the issuing of certs all by itself, it allows intermediates, such as GeoTrust, to issue certificates on its behalf. Thus when you, say, visit a website secured by a HTTPS cert issued by GeoTrust, the browser can follow the chain back to Digicert and trust the connection is all above board. Now thousands of these certificates need to be reissued due to a bureaucratic screw-up.

And, by the way, EV certs, aka Extended Validation certificates, are supposed to be the gold standard in the cert-selling industry: these are the ones that show up with the cert owner's legal name in some browsers' address bar next to the padlock. This is so that when you're visiting your bank's website, and it says My Super Bank Corp, you're reassured this really is the real deal. EV certs have their critics.

'The result is a weird situation'

On Monday, Digicert VP of product security and compliance Brenda Bernal explained, via Mozilla's Bugzilla system, that the mass revocation this week was needed because intermediate certificate authorities created between August 2013 and February 2018 were incorrectly left out of its audit reports.

"In the past, ICAs were listed in audit reports based on planned usage rather than whether they were capable of issuing EV, meaning that not all TLS issuing certs were listed in the audit report. This is separate from how we pull EV data for the auditor sample, where the sample is pulled from all issued certs, regardless of chain," said Bernal.

"The result is a weird situation where all of the certs were tested against the EV requirements, but the audit report did not list the specific ICA. Because of this, we are revoking all of the end-entity EV certs and moving them to a new chain."

waiting

Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too

MORE LIKE THIS

DigiCert only learned of the problem on July 2, and decided on Monday to throw the EV certs on the bonfire with the industry-mandated five days of notice. A plan to run a new audit is underway, and will likely take place next month.

While DigiCert was commended for taking quick action to resolve the issue, some of the customers of the impacted ICAs are less than thrilled about being given just five days of warning that they will have to replace their certs.

"I work in a major ISP and it has thrown our operations into organized chaos getting all impacted systems traced and new certs installed," a Reg reader, affected by the revocation and speaking on condition of anonymity, told us. "This is not straight forward as we interface with many third parties so we need to get their engagement and coordination."

Other customers expressed similar frustration at the short run-up to the mass revocation of tens of thousands of certs.

"Revoking over 50,000 certificates within five days is a draconian move that is only warranted when a severe security breach has been detected," wrote Bugzilla user Hank Nussbacher. "There needs to be some common sense in determining how long to allow before the certificate is revoked. Minor typos in province or mistakes with audit reports should be given 2-4 weeks to revoke certificates."

As others point out, however, it isn't Digicert's call to only wait five days for the revocation. Rather, that is what is required by Mozilla and CAB Forum rules.

Digicert had no comment at time of going to press. ®


Keep Reading

Microsoft drives users to the Edge: Internet Explorer to redirect to Chromium-based browser in November

'Hey, you folks heard that there's this virus starting to spread?' – IE, probably

In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

Incompatibilities and inconsistent standards support among browsers ensure an ongoing source of headaches

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

You need to give that plate back to us after you've finished your cake. Yes the fork too. We'll get your coat

Azure DevOps Services reminds users that, yes, it really is time to pull the plug on Internet Explorer 11

Ignite Sure, it's still wedged in the OS, but maybe you'd prefer something shiny and Chromier?

Finally. Thanks so much, nerds. Google, Apple, Mozilla end government* internet spying for good

* Terms and conditions apply. Offer not valid outside Kazakhstan. Your home may be repossessed if you do not keep up payments

Mozilla signs fresh Google search deal worth mega-millions as 25% staff cut hits Servo, MDN, security teams

Updated $2.5m-a-year CEO set to take a pay cut, so that's all right, then

'Supporting Internet Explorer is hell': Web developers identify top needs – new survey

WebAssembly key tech for replacing native apps, say respondents

If you never thought you'd hear a Microsoftie tell you to stop using Internet Explorer, lap it up: 'I beg you, let it retire to great bitbucket in the sky'

We say take off and nuke the entire codebase from orbit. It's the only way to be sure

Biting the hand that feeds IT © 1998–2020