DigiCert has issued a warning, stating that it will probably conduct a large-scale revocation of SSL/TLS certificates due to a bug in its verification process for domain ownership, and is requiring affected customers to reissue their certificates within the next 24 hours.
The exact number of revocations is unknown, but the company notes that approximately 0.4% of its valid certifications issued between August 2019 and June 2024 will be affected.
DigiCert stands out as a prominent certificate authority, offering a range of SSL/TLS certifications, including Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV) options.
These digital certificates enable secure communication by encrypting data exchanged between a user and a website or application, thereby safeguarding against unauthorized eavesdropping and potential man-in-the-middle attacks.
Before issuing certificates for a website, a certificate authority must conduct Domain Control Validation (DCV) to validate that the applicant possesses domain name control and ownership.
To verify domain ownership, one effective approach involves appending a random value to the DNS CNAME record in the certificate and then performing a DNS lookup to confirm that the generated values align.
According to policy, a random word should be isolated by the area label with an underscore. Without exception, the risk of a collision exists when a site and its subdomain used for verification coexist.
Recently, we’ve come to recognize a critical oversight: our failure to incorporate the underscore prefix when applying arbitrary values in certain CNAME-based validation scenarios.
This affected approximately 0.4 percent of our area validation processes, a relatively small proportion of the overall impact. Certificates issued under strict CABF guidelines, requiring validation of a specific area’s complexity, must be revoked within 24 hours.
A five-year bug
DigiCert attributes the root cause of the issue to a system replacement in August 2019, which inadvertently eliminated automatic underscore insertion in certain validation pathways.
Between August 2019 and June 2024, a thorough review was conducted without realizing this oversight earlier; as a result, from then on, certain validation processes took place sans the traditional underscore prefix.
On June 11, 2024, a user experience enhancement project resolved an unknown issue by streamlining the randomized value generation process.
On July 29, DigiCert discovered an unexpected issue with a limited number of certificates, which was uncovered while examining a separate report related to the generation of random values and underscores.
“According to DigiCert, failing to include an underscore in the domain name is considered a safety risk due to the possibility of a collision between a specific area and the verification subdomain, potentially leading to unintended consequences.”
While the likelihood of a collision remains extremely low due to the randomly generated value’s minimum of 150 bits of entropy, there still exists a possibility.
DigiCert has taken proactive measures to prevent similar incidents from recurring:
- Consolidated and reviewed all worthwhile mills.
- The complexity of consumer expertise has been streamlined, rendering handbooks and underscores unnecessary.
- Integrated compliance personnel into iterative growth cycles.
- Enhanced safeguards implemented to guarantee adherence to regulatory requirements and standards.
- Plans are underway to open-source DCV for neighbourhood evaluation by November 1st, 2024.
To mitigate potential disruptions, affected users are required to access their existing DigiCert CertCentral accounts and promptly initiate the necessary certificate updates.
They are subsequently mandated to produce a fresh Certificate Signing Request (CSR) for the domain, thereby necessitating DigiCert to perform an additional Area Management Verification.
Once the certificate request is processed and a DCV (Domain Control Validation) confirmation is received, organizations can use the CertCentral portal to reissue certificates as needed and deploy them on their servers seamlessly.
It’s well-known that DigiCert can revoke affected certificates within a 24-hour timeframe. If the development process is delayed beyond that point, it may lead to a period of disconnection for the website or software, potentially causing inconvenience and lost opportunities.
BleepingComputer reached out to DigiCert for clarification on the scope of affected certificates, but remains in limbo, awaiting a response from the company.
