A look at DigiCert’s recent action
In the realm of internet security, digital certificates play a crucial role in ensuring secure communication between users and websites. However, when these certificates are compromised or issued incorrectly, they must be revoked to maintain trust. Recently, DigiCert, one of the leading Certificate Authorities (CAs), had to revoke over 83,000 SSL/TLS certificates due to a validation oversight. This blog post explores the complexities of certificate revocation, why DigiCert took this action, and the broader implications for internet security.
What led to DigiCert’s mass revocation?
On August 3, 2024, DigiCert announced the revocation of 83,267 SSL/TLS certificates across 6,807 customers. The reason? A minor but critical oversight in the Domain Control Validation (DCV) process. DCV is a method used by CAs to verify that the entity requesting a certificate actually controls the domain in question. One common way to perform this validation is by requiring the domain owner to add a specific DNS CNAME record that the CA can then check.
The issue arose because DigiCert failed to include a mandatory underscore prefix in the random value used in some CNAME-based validation cases. While this might seem like a trivial error, it had the potential to cause serious problems. Without the underscore, there was a risk of collision with legitimate subdomains, potentially allowing unauthorized entities to obtain certificates for domains they did not control.
Despite the seemingly low risk, DigiCert took immediate action to revoke the affected certificates, demonstrating their commitment to the strict standards set by the CA/Browser Forum, the governing body for certificate authorities.
The challenges of certificate revocation
Certificate revocation is a critical aspect of maintaining trust on the internet, but it is also one of the most challenging. When a certificate is revoked, browsers and other software are supposed to check the revocation status before establishing a secure connection. However, in practice, this system often fails.
Many web browsers do not perform real-time checks to see if a certificate has been revoked, primarily due to concerns about performance and reliability. This means that even if a certificate is revoked, users may still be able to connect to the affected site without any warnings, undermining the entire purpose of revocation.
Additionally, revoking and replacing thousands of certificates, as DigiCert did, can cause significant disruptions to the services relying on them. Websites, applications, and services must all update their certificates to maintain secure connections, a process that can be time-consuming and error-prone.
The industry’s response and best practices
DigiCert’s swift response to the validation error highlights the importance of adhering to best practices in certificate management. In contrast to some other CAs that have been less diligent in enforcing revocation rules, DigiCert’s actions set a positive example for the industry.
However, the incident also underscores the need for improvements in how revocation is handled across the board. One potential solution is the increased adoption of short-lived certificates, such as those issued by Let’s Encrypt, which are valid for just 90 days. This reduces the window of vulnerability if a certificate needs to be revoked, as it will expire relatively quickly on its own.
For businesses and individuals relying on SSL/TLS certificates, it’s crucial to stay vigilant and proactive in managing their certificates. This includes regularly monitoring for updates from your CA, promptly replacing revoked certificates, and understanding the limitations of the current revocation system.
Final comments
DigiCert’s recent mass revocation event serves as a reminder of the complexities and importance of certificate management. While the current system for revocation has its flaws, the proactive steps taken by DigiCert demonstrate a commitment to maintaining trust in the digital ecosystem. As the internet continues to evolve, so too must our approaches to security, ensuring that we can protect the integrity of our communications in an increasingly connected world.