Over one million digital certificates have been mis-issued by Google, Apple and GoDaddy after an operational snafu left them non-compliant with industry standards.
Researcher Adam Caudill revealed the issue late last week, claiming that the companies had misconfigured the EJBCA software package used by many Certificate Authorities to generate certs.
In effect, this meant they were generating certificates with just 63-bit serial numbers, thus failing to meet the minimum 64-bit requirements set out by the CA Browser Forum in its Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates.
“When we are talking about numbers this large, it’s easy to think that one bit wouldn’t make much difference, but the difference between 2^64 and 2^63 is substantial — to be specific, 2^63 is off by over nine quintillion or more specifically 9,223,372,036,854,775,808,” explained Caudill.
The good news is that the mis-issued certificates are said to present no security risk today, and Google at least has revoked most (95%) of its batch within the required five-day period.
Apple and GoDaddy will require longer, in the case of the latter, up to 30 days.
“Without robust automation, changing certificates can be complex and time-consuming, leaving the CA to choose between complying with requirements or impacting their customers,” Caudill argued.
“It’s also not clear how many other CAs may be impacted by this issue; while a few have come forward, I would be shocked if this is the full list. This is likely an issue that will live on for some time.”
Kevin Bocek, VP of security strategy and threat intelligence at Venafi, argued that there’s a much broader lack of visibility into certificate issuance which is threatening internet security.
“The reality is that the vast majority of organizations lack even the most basic intelligence about where they are using machine identities. Replacing a single digital certificate can take hours and most firms don’t have automated processes in place to replace large numbers of them when problems like this occur,” he said.
“As a result, many businesses are going to feel a lot of pain. Even worse, if the replacement process isn’t completed by experts it’s very error prone, and the ‘cure’ can introduce new vulnerabilities or cause business systems to fail. This is a huge third-party risk that CISOs and board members don’t understand.”