Some of the worlds largest websites have been labeled insecure by leading browsers and have become inaccessible following a revocation issue that was caused by one of the leading SSL Certificate Providers, GlobalSign late last week.
When attempting to visit websites such as Wikipedia and The Guardian, some uses were prompted that:
“Your Connection Is Not Secure”
“Attackers might be trying to steal your information from www.Wikipedia.com (for example, passwords, messages or credit cards)”
Others received the following message:
“The servers security certificate is revoked!”
“You attempted to reach www.wikipedia.com, but the certificate that the server presented has been revoked by its issuer. This means that the security credentials the server presented today absolutely should not be trusted. You may be communication with an attacker”.
The issue developed from an incorrect move on ‘GlobalSign’s’ part to revoke one of its intermediary certificates that linked two of its root certificates in which were required to remain linked. As soon as the cross certificate was removed, all SSL certificates using that particular chain of trust were what is called “revoked” and are deemed insecure. This obviously sent the internet into a bit of a meltdown as web browsers refused to load websites incorrectly labeled unsafe, resulting in websites and business having to basically close all online operations until the issue could be fixed.
GlobalSign have gone on to explain the following within the press release:
“CRL responses had been operational for one week, however an unexpected consequence of providing OCSP responses became apparent this morning, in that some browsers incorrectly inferred that the cross-signed root had revoked intermediates, which was not the case.
GlobalSign has since removed the cross-certificate from the OCSP database and cleared all caches. However, the global nature of CDNs and effectiveness of caching continued to push some of those responses out as far as end users. End-users cannot always easily clear their caches, either through lack of knowledge or lack of permission.”
Further more, Global Sign have mentioned that although they have replaced the intermediary certificate and fixed the issue, it would be sometime before you can safely access the websites that were unfortunately shutdown. The firm claimed the cached responses will expire by Monday, effectively resolving the problem.
We are currently experiencing issues with our OCSP which is causing certificate warning messages. We aim to fix this as soon as possible.
— GlobalSign (@globalsign) October 13, 2016
However, the incident which is know to have affected world wide websites such as Drop Box and The Financial Times, could have already cost consumers, bloggers and website owners alike, millions upon millions in revenue loss. Not to mention the smaller websites that may have now been tarnished for good.
Venafi chief cybersecurity strategist, Kevin Bocek has explained:
“It’s hard to know how many companies have been impacted, but with GlobalSign boasting that over 25 million certificates rely on the public trust of the GlobalSign root CA certificate, the impact is undoubtedly huge. The reality is that failures like this and breaches involving certificates are becoming more frequent – not surprising, since the world is becoming encrypted,” he argued.
“The impact though is completely unacceptable – you can’t have your site being untrusted or taken offline for days on end. Businesses must have an automated back-up plan – they cannot be at the mercy of any one CA. These types of issues will continue to happen but when they do, firms need to be able to take control and immediately and automatically change out affected certificates.”
It just goes to show that not ALL SSL providers and authorities can be trusted at all times. Mistakes will be made, things will go wrong. Make sure to do your research and go with a provider that has been around the industry for a while and that you can trust. Otherwise it could be your online business that suffers in the end.
‘GlobalSign Causes Mass HTTPS Revocation – Spotify, Wikipedia, The Guardian And Drop Box All Affected’ is licensed under a Creative Commons Attribution 4.0 International License. You have permission to republish this article with attribution to the author and Blog.trustico.com.