Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle

You've got less than 42 hours to regenerate your certs

Digicert says, come Saturday, July 11, it will revoke tens of thousands of encryption certificates issued by intermediaries that were not properly audited.

A notice emitted by the certificate biz explained that a number of its intermediate certificate authorities (ICAs) had issued EV certs to customers despite not being included in DigiCert's WebTrust audits – which goes against the rules for EV certs. To remedy this, DigiCert said it will revoke every single EV cert issued by the ICAs in question – think CertCentral, Symantec, Thawte, and GeoTrust.

"To resolve the issue, we must migrate issuance to new ICAs and revoke all certificates issued under the impacted ICAs," Digicert told its customers in an email.

"Although there is no security threat, the EV Guidelines require that we revoke EV certificates signed by the affected ICAs by July 11, 2020 at 12pm MDT (July 11, 18:00 UTC)."

We understand the number of certs set to be pulled is somewhere in the range of 50,000. For those not in the know, computers and other devices are told, typically, by their operating systems to trust certificates issued by Digicert. Rather than handle the issuing of certs all by itself, it allows intermediates, such as GeoTrust, to issue certificates on its behalf. Thus when you, say, visit a website secured by a HTTPS cert issued by GeoTrust, the browser can follow the chain back to Digicert and trust the connection is all above board. Now thousands of these certificates need to be reissued due to a bureaucratic screw-up.

And, by the way, EV certs, aka Extended Validation certificates, are supposed to be the gold standard in the cert-selling industry: these are the ones that show up with the cert owner's legal name in some browsers' address bar next to the padlock. This is so that when you're visiting your bank's website, and it says My Super Bank Corp, you're reassured this really is the real deal. EV certs have their critics.

'The result is a weird situation'

On Monday, Digicert VP of product security and compliance Brenda Bernal explained, via Mozilla's Bugzilla system, that the mass revocation this week was needed because intermediate certificate authorities created between August 2013 and February 2018 were incorrectly left out of its audit reports.

"In the past, ICAs were listed in audit reports based on planned usage rather than whether they were capable of issuing EV, meaning that not all TLS issuing certs were listed in the audit report. This is separate from how we pull EV data for the auditor sample, where the sample is pulled from all issued certs, regardless of chain," said Bernal.

"The result is a weird situation where all of the certs were tested against the EV requirements, but the audit report did not list the specific ICA. Because of this, we are revoking all of the end-entity EV certs and moving them to a new chain."


Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too


DigiCert only learned of the problem on July 2, and decided on Monday to throw the EV certs on the bonfire with the industry-mandated five days of notice. A plan to run a new audit is underway, and will likely take place next month.

While DigiCert was commended for taking quick action to resolve the issue, some of the customers of the impacted ICAs are less than thrilled about being given just five days of warning that they will have to replace their certs.

"I work in a major ISP and it has thrown our operations into organized chaos getting all impacted systems traced and new certs installed," a Reg reader, affected by the revocation and speaking on condition of anonymity, told us. "This is not straight forward as we interface with many third parties so we need to get their engagement and coordination."

Other customers expressed similar frustration at the short run-up to the mass revocation of tens of thousands of certs.

"Revoking over 50,000 certificates within five days is a draconian move that is only warranted when a severe security breach has been detected," wrote Bugzilla user Hank Nussbacher. "There needs to be some common sense in determining how long to allow before the certificate is revoked. Minor typos in province or mistakes with audit reports should be given 2-4 weeks to revoke certificates."

As others point out, however, it isn't Digicert's call to only wait five days for the revocation. Rather, that is what is required by Mozilla and CAB Forum rules.

Digicert had no comment at time of going to press. ®

Similar topics

Other stories you might like

  • Employers in denial over success of digital skills training, say exasperated staffers

    Large disparities in views from bosses vs workers on 'talent transformation initiatives,' says survey

    Digital transformation projects are being held back by a lack of skills, according to a new survey, which finds that while many employers believe they are doing well at training up existing staff to meet the requirements, their employees beg to differ.

    Skills shortages are nothing new, but the Talent Transformation Global Impact report from research firm Ipsos on behalf of online learning provider Udacity indicates that although digital transformation initiatives are stalling due to a lack of digital talent, enterprises are becoming increasingly out of touch with what their employees need to fill the skills gap.

    The report is the result of two surveys taking in over 2,000 managers and more than 4,000 employees across the US, UK, France, and Germany. It found that 59 per cent of employers state that not having enough skilled employees is having a major or moderate impact on their business.

    Continue reading
  • Saved by the Bill: What if... Microsoft had killed Windows 95?

    Now this looks like a job for me, 'cos we need a little, controversy... 'Cos it feels so NT, without me

    Former Microsoft veep Brad Silverberg has paid tribute to Bill Gates for saving Windows 95.

    Silverberg posted his comment in a Twitter exchange started by Fast co-founder Allison Barr Allen regarding somebody who'd changed your life. Silverberg responded "Bill Gates" and, in response to a question from Microsoft cybersecurity pro Ashanka Iddya, explained Gates's role in Windows 95's survival.

    Continue reading
  • UK government opens consultation on medic-style register for Brit infosec pros

    Are you competent? Ethical? Welcome to UKCSC's new list

    Frustrated at lack of activity from the "standard setting" UK Cyber Security Council, the government wants to pass new laws making it into the statutory regulator of the UK infosec trade.

    Government plans, quietly announced in a consultation document issued last week, include a formal register of infosec practitioners – meaning security specialists could be struck off or barred from working if they don't meet "competence and ethical requirements."

    The proposed setup sounds very similar to the General Medical Council and its register of doctors allowed to practice medicine in the UK.

    Continue reading
  • Microsoft's do-it-all IDE Visual Studio 2022 came out late last year. How good is it really?

    Top request from devs? A Linux version

    Review Visual Studio goes back a long way. Microsoft always had its own programming languages and tools, beginning with Microsoft Basic in 1975 and Microsoft C 1.0 in 1983.

    The Visual Studio idea came from two main sources. In the early days, Windows applications were coded and compiled using MS-DOS, and there was a MS-DOS IDE called Programmer's Workbench (PWB, first released 1989). The company also came up Visual Basic (VB, first released 1991), which unlike Microsoft C++ had a Windows IDE. Perhaps inspired by VB, Microsoft delivered Visual C++ 1.0 in 1993, replacing the little-used PWB. Visual Studio itself was introduced in 1997, though it was more of a bundle of different Windows development tools initially. The first Visual Studio to integrate C++ and Visual Basic (in .NET guise) development into the same IDE was Visual Studio .NET in 2002, 20 years ago, and this perhaps is the true ancestor of today's IDE.

    A big change in VS 2022, released November, is that it is the first version where the IDE itself runs as a 64-bit process. The advantage is that it has access to more than 4GB memory in the devenv process, this being the shell of the IDE, though of course it is still possible to compile 32-bit applications. The main benefit is for large solutions comprising hundreds of projects. Although a substantial change, it is transparent to developers and from what we can tell, has been a beneficial change.

    Continue reading
  • James Webb Space Telescope has arrived at its new home – an orbit almost a million miles from Earth

    Funnily enough, that's where we want to be right now, too

    The James Webb Space Telescope, the largest and most complex space observatory built by NASA, has reached its final destination: L2, the second Sun-Earth Lagrange point, an orbit located about a million miles away.

    Mission control sent instructions to fire the telescope's thrusters at 1400 EST (1900 UTC) on Monday. The small boost increased its speed by about 3.6 miles per hour to send it to L2, where it will orbit the Sun in line with Earth for the foreseeable future. It takes about 180 days to complete an L2 orbit, Amber Straughn, deputy project scientist for Webb Science Communications at NASA's Goddard Space Flight Center, said during a live briefing.

    "Webb, welcome home!" blurted NASA's Administrator Bill Nelson. "Congratulations to the team for all of their hard work ensuring Webb's safe arrival at L2 today. We're one step closer to uncovering the mysteries of the universe. And I can't wait to see Webb's first new views of the universe this summer."

    Continue reading

Biting the hand that feeds IT © 1998–2022