DigiCert to Revoke Over 83,000 SSL Certificates Due to Critical Domain Validation Error

digicert

In a significant move impacting numerous websites and online services, certificate authority (CA) DigiCert has announced that it will be revoking over 83,000 SSL/TLS certificates within the next 24 hours. This urgent action comes in response to a critical oversight in the domain validation process, which ensures that digital certificates are issued to the legitimate owners of domains.

DigiCert, a prominent player in the cybersecurity landscape, revealed that the certificates in question lacked proper Domain Control Validation (DCV). This validation step is crucial as it verifies that the entity requesting the certificate indeed controls the domain for which the certificate is issued.

The Domain Validation Process

Before issuing a certificate, DigiCert employs several methods approved by the CA/Browser Forum (CABF) to confirm a customer’s control or ownership over a domain name. One common method involves the customer setting up a DNS CNAME record containing a random value provided by DigiCert. The company then performs a DNS lookup to ensure that the values match, thus confirming domain control.

In an effort to prevent potential conflicts with actual subdomains, the random value is prefixed with an underscore character. However, DigiCert discovered that, in some cases, this critical prefix was omitted, leading to the current predicament.

The Root of the Issue

The issue stems from a series of architectural changes initiated in 2019. During these updates, the code responsible for adding the underscore prefix was inadvertently altered. While the prefix was included in some parts of the updated system, it was missing from others, creating a loophole where the underscore was neither automatically added nor checked.

DigiCert acknowledged that this omission slipped through the cracks during cross-functional team reviews and regression testing. The tests were focused on workflows and functionality rather than the specific content or structure of the random value.

“Unfortunately, no reviews were done to compare the legacy random value implementations with those in the new system for every scenario,” DigiCert admitted. “Had we conducted those evaluations, we would have identified the issue earlier.”

Discovery and Impact

The non-compliance issue came to light only recently, triggered by a customer’s inquiry about the random values used in validation. This prompted a deeper investigation, revealing that approximately 0.4% of domain validations were affected. According to a Bugzilla report, the oversight impacts 83,267 certificates and 6,807 customers.

In response, DigiCert is urging notified customers to replace their certificates promptly. Customers are advised to log into their DigiCert accounts, generate a Certificate Signing Request (CSR), and reissue their certificates after passing DCV.

cisa

Broader Implications and Official Response

The gravity of the situation has caught the attention of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which issued an alert warning of potential disruptions. “Revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure communication,” CISA stated.

This incident underscores the critical importance of meticulous validation processes in maintaining the integrity of SSL/TLS certificates, which are fundamental to secure online communications. As the digital landscape continues to evolve, the need for robust and error-free validation mechanisms becomes even more paramount.

Moving Forward

In light of this incident, DigiCert has taken steps to revamp its random value generation process. On June 11, 2024, the company eliminated the manual addition of the underscore prefix as part of a user-experience enhancement project. Despite this improvement, the failure to compare the updated process against the legacy system underscores the challenges of maintaining consistency across complex systems.

DigiCert’s proactive approach in addressing the oversight and issuing prompt notifications to affected customers reflects its commitment to maintaining trust and security in the digital certificate ecosystem. However, the incident serves as a stark reminder of the potential for human error and the need for continuous vigilance in cybersecurity practices.

Conclusion

The revocation of over 83,000 SSL/TLS certificates by DigiCert highlights the intricate nature of domain validation processes and the far-reaching implications of seemingly minor oversights. As businesses and individuals scramble to replace their certificates, the incident offers valuable lessons for the cybersecurity community. It emphasizes the necessity of thorough reviews, comprehensive testing, and the constant evolution of best practices to safeguard the integrity of digital communications in an increasingly interconnected world.

Follow us on x twitter (Twitter) for real time updates and exclusive content.

3 thoughts on “DigiCert to Revoke Over 83,000 SSL Certificates Due to Critical Domain Validation Error”

  1. Hey there You have done a fantastic job I will certainly digg it and personally recommend to my friends Im confident theyll be benefited from this site

Comments are closed.

Scroll to Top