Certificate Authority (CA) DigiCert has warned that will revoke a subset of SSL/TLS certificates within 24 hours due to a failure to verify whether a digital certificate was issued to the rightful owner of a domain.
DigiCert: Reasons Behind SSL Certificate Revocation
The company said it will take steps to revoke certificates that do not have proper Domain Control Validation (DCV).
“Before issuing a certificate to a customer, DigiCert verifies the customer’s control or ownership of the domain name for which they are requesting a certificate using one of several methods approved by the CA/Browser Forum (CABF),” has affirmed DigiCert.
One of the methods used involves the customer setting up a record DNSCNAME (which concerns CloudFlare, remember the recent incident) containing a random value provided by DigiCert, which then performs a DNS lookup for the domain in question to ensure that the random values are the same.
The random value, according to DigiCert, is prefixed with an underscore to avoid a possible collision with an actual subdomain that uses the same random value.
What the Utah-based company discovered was that it had not included the underscore prefix with the random value used in some CNAME-based validation cases.
The origins of this problem
The problem has its roots in a series of changes started from 2019 to renew the underlying architecturein which the code that added an underscore prefix was removed and subsequently “added to some paths in the updated system” but not to a path that didn’t automatically add it or check whether the random value had a pre-added underscore.
“The omission of an automatic underscore prefix was not detected during cross-functional team reviews that occurred prior to the deployment of the updated system“, said DigiCert, adding: “Even though we had regression tests in place, those tests did not alert us to the change in functionality because the regression tests were focused on workflows and functionality rather than the content/structure of the random value.“
That’s not all, as the company also said “Unfortunately, no reviews were done to compare the legacy random value implementations with the random value implementations in the new system for each scenario. If we had done such evaluations, we would have discovered earlier that the system was not automatically prefixing the random value with an underscore where necessary.“
How will DigiCert solve the problem?
Subsequently, on June 11, 2024, DigiCert has revamped its random value generation process and eliminated the manual addition of the underscore prefix as part of a user experience improvement projectbut acknowledged that he had not again “compared this UX change to the underscore flow in the legacy system.”
The company said it discovered the non-compliance issue only “several weeks ago” when an anonymous customer contacted the company regarding the random values used in the validation, prompting a further review.
He also noted that the incident impacted approximately 0.4% of applicable domain validations, which, according to a update on the related Bugzilla report, it concerns 83,267 certificates and 6,807 customers.
Notified customers are advised to replace their certificates as soon as possible by logging into their DigiCert accounts, generating a Certificate Signing Request (CSR), and reissuing them after passing the DCV.
The development has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to to publish a notice, stating that “Revoking these certificates may cause temporary disruptions to websites, services, and applications that rely on these certificates for secure communication..”
#DigiCert #Revoking #SSL #Certificates