A revocation issue at certificate provider GlobalSign late last week caused chaos in many corners of the internet as some of the world’s most popular websites were rendered inaccessible because their browsers labelled them insecure.
The problem began when GlobalSign decided to remove a cross certificate between two roots which should not have been revoked.
It explained further in a statement:
“CRL responses had been operational for one week, however an unexpected consequence of providing OCSP responses became apparent this morning, in that some browsers incorrectly inferred that the cross-signed root had revoked intermediates, which was not the case.
GlobalSign has since removed the cross-certificate from the OCSP database and cleared all caches. However, the global nature of CDNs and effectiveness of caching continued to push some of those responses out as far as end users. End-users cannot always easily clear their caches, either through lack of knowledge or lack of permission.”
The firm claimed the cached responses will expire by Monday, effectively resolving the problem.
However, the incident – which is said to have affected sites including The Guardian, Dropbox and the FT – could have cost customers millions in revenue losses, according to Venafi chief cybersecurity strategist, Kevin Bocek.
“It’s hard to know how many companies have been impacted, but with GlobalSign boasting over 25 million certificates rely on the public trust of the GlobalSign root CA certificate, the impact is undoubtedly huge. The reality is that failures like this and breaches involving certificates are becoming more frequent – not surprising, since the world is becoming encrypted,” he argued.
“The impact though is completely unacceptable – you can’t have your site being untrusted or taken offline for days on end. Businesses must have an automated back-up plan – they cannot be at the mercy of any one CA. These types of issues will continue to happen but when they do, firms need to be able to take control and immediately and automatically change out affected certificates.”