DigiCert Revoked 83,000+ SSL Certificates Due to Domain Validation Issue
Certificate authority (CA) DigiCert has stated that they will invalidate many SSL/TLS certificates due to a critical domain validation flaw.
This flaw, which affects over 83,000 certificates, is a serious issue as it undermines the process of verifying the rightful holders of domain names, a crucial aspect of SSL/TLS certificates.
Validation Process and Issue
SSL/TLS certificates play a pivotal role in safeguarding the privacy of communications between clients and servers.
As a trusted certificate authority, DigiCert is responsible for verifying that a customer seeking a certificate has ownership or control over the domain in question. This verification, known as Domain Control Validation (DCV), is typically performed using various standard methods.
One of these methods involves DNS CNAME records/contacts. In this process, DigiCert provides the customer with a random string, which the customer then uses to create a DNS record called a CNAME on the domain.
DigiCert then performs a DNS lookup check to ensure the value matches, confirming domain ownership. However, there is a risk of subdomain collision with such random numbers, so DigiCert mitigates this risk by adding an underscore character to the value.
However, due to a methodological error, DigiCert needed to be more consistent and omitted this underscore prefix in some certificates.
This exclusion was due to several modifications introduced to DigiCert’s system in early 2019, which the company had deemed an effort to upgrade and advance the fundamental structure.
Origins of the Problem
This started when DigiCert altered its validation mechanism and no longer incorporated the aspect of appending the underscore prefix to the random value used in the CNAME-based validation process.
While this prefix was included in some parts of the modification to the system, one path concerned with the random value did not include this addition. To address the specific needs of validation cases, the use of the prefix was sometimes omitted.
This problem was not identified during the various phases of the system implementation or the regression testing phase. Regression testing was only carried out on Work Flows and Functions and not on the content and format of the random value.
Moreover, no thorough assessment could be conducted to compare the random value implementation style of the legacy system with the new system’s approach, which contributed to the oversight.
Discovery and Response
The problem in the validation procedure was not evident before now and was initiated by a question a customer raised on the random values used in domain validation. This led to a check by DigiCert, and the challenge of non-compliance was discovered.
Thus, the scope of the certificates that have been harmed is several tens of millions of dollars or closer to 0. 4% of the exceptional cases validated by this method stamps to about 83,267 certificates that affected 6,807 customers.
In response to this vulnerability, DigiCert has immediately sent out alerts to those clients, informing them to renew the certificates as soon as possible.
The company has laid down detailed procedures for the customers, such as creating a CSR for the new certificates and renewing them after passing the DCV.
The U. S. Cybersecurity and Infrastructure Security Agency (CISA) has also put out an alert concerning the disruption this problem can create.
Canceling these certificates would temporarily disrupt the secure connection of websites, services, and applications that use them.
Mitigation Efforts
DigiCert admitted that it has been dealing with the issue with its customers, especially those who have been badly affected.
In this regard, for those persons who manage crucial infrastructure, the company has defined demands for delayed terms for revocation due to the possibility of long-term service disruptions.
However, DigiCert stated that it would stop accepting applications for delayed revocation and that all the affected certificates would be nullified by August 3, 2024, at 7:30 PM UTC.
Conclusion
This case underscores the need for rigorous testing and validation of certificates before they are issued to the public.
The incident, although massive in scale and potential consequences, also demonstrates that it is best to avoid the situation in which, for example, DigiCert has not conducted a comprehensive overview in recent years to address the fact that the problem had grown significantly over the years and had not been noticed until it reached a critical level.
Such a problem involving domain validation is understandable; however, the company’s quick action and the advice given to customers play a significant role in a response to these disruptions.
There is a call for all the affected persons to hasten and exchange their certificates to avoid disruption of services that require the certificates as they get a new one before the deadline for revocation is over.
Buy or Renew Reputed DigiCert SSL/TLS Certificate Starts at Just $205.99