DigiCert [1] [2] [3] [4] [5] [6] [7] [8], a prominent certificate authority [1] [4], recently identified a non-compliance issue with its DNS-based validation method 7, specifically in the CNAME verification process [8].
Description
This issue [1] [4] [7] [8], affecting approximately 0.4% of domain validations [4] [7], resulted in the mis-issuance of certificates and the revocation of 83,267 certificates impacting 6,807 subscribers. The error was traced back to a missing underscore prefix in the random values used for verification, causing conflicts with actual subdomains [7]. To address this issue [4] [7], DigiCert has adjusted its random value generation process to ensure compliance with CABF rules. Customers with critical infrastructure have been granted exceptions to prevent service disruptions, and the revocation deadline has been extended to August 3rd in exceptional cases. Affected customers are advised to replace their certificates by this date to avoid disruptions to their websites, services [2] [3] [4] [5] [6] [7], and applications [4] [7]. DigiCert is currently investigating the root cause and compiling a list of impacted certificate serial numbers for revocation [8]. It is recommended to avoid using underscore characters in hostnames when using CNAME based validation for DigiCert SSL/TLS certificates, as required by RFC [2]. DigiCert did not include the underscore at the start of the random string for DNS records [2], potentially allowing random users to manipulate the string [2]. Some current systems use DNS names with underscores [2], but it is unlikely that users can pick their own TCP/IP service name and port for DNS records [2]. If this is the case [2], it is advised to use the existing mechanism [2], such as the CAA record [2], to restrict CAs from issuing certificates for those names [2]. Additionally, it is important to implement extra security measures to prevent unauthorized certificate issuance [2]. Despite the potential security risks [2], there are websites with underscores in their domain names [2], such as those on *.tripod.com subdomains [2]. The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of potential disruptions to websites [4] [7], services [2] [3] [4] [5] [6] [7], and applications relying on these certificates for secure communication [7]. DigiCert has revamped its random value generation process to address the issue [4] [7], but customers are advised to monitor communications from the company for updates and recommended mitigation steps [7].
Conclusion
The impact of this non-compliance issue on certificate issuance and revocation has been significant, with measures in place to rectify the situation and prevent future occurrences. Customers are urged to stay informed and take necessary actions to ensure the security and integrity of their online assets.
References
[1] https://cybersecuritynews.com/digicert-to-revoke-thousands-of-certificates/
[2] https://news.ycombinator.com/item?id=41104504
[3] https://www.cisa.gov/news-events/alerts/2024/07/30/digicert-certificate-revocations
[4] https://thehackernews.com/2024/07/digicert-to-revoke-83000-ssl.html
[5] https://heimdalsecurity.com/blog/digicert-revokes-certificates/
[6] https://www.csoonline.com/article/3479958/digicert-validation-bug-sets-up-83267-ssl-certs-for-revoking.html
[7] https://rhyno.io/blogs/cybersecurity-news/digicert-to-revoke-more-than-85k-ssl-tls-certificates/
[8] https://bugzilla.mozilla.org/show_bug.cgi?id=1910322