marog-pixcells - Fotolia
Online firms are being urged to put automated backup systems in place after an error by the Globalsign security certificate authority (CA) made customer sites inaccessible.
An unknown number of sites became inaccessible after a cross-certificate was revoked in error during a planned maintenance exercise to clean up of some of their root certificates links.
According to Globalsign, a cross-certificate allows a certificate to chain to an alternate root, but when one was revoked, “some web browsers incorrectly inferred that the cross-signed root had revoked intermediates, which was not the case,” the CA said in a statement on its customer support site.
This meant that websites were labelled as “insecure” by web browsers, preventing access for security reasons.
Education software developer Edsby said its website was affected, along with other sites such as the Financial Times, Guardian, Wikipedia, Logmein and Dropbox.
Globalsign responded by removing the affected cross-certificate and clearing its caches, but the CA’s customers still had to replace their SSL certificates to restore access to their sites.
However, the CA said the “global nature of CDN [content delivery networks] and the effectiveness of caching” resulted in some corrupt certificates reaching user systems.
Users who do not clear their caches will have to wait four days for the problem to correct itself, but Globalsign said it will provide an alternative issuing CA for customers to use in interim.
Read more about digital certificates
- Even though 90% of security professionals believe a leading CA will be compromised in next two years, only 13% have existing automation to deal with that happening.
- Every Global 2000 organisation faces $398m in potential losses from attacks on their ability to control online trust with cryptographic keys and digital certificates, a study reveals.
“It’s hard to know how many companies have been affected, but with GlobalSign boasting more than 25 million certificates rely on the public trust of the GlobalSign root CA certificate, the impact is undoubtedly huge,” said Kevin Bocek, chief cyber security strategist at Venafi.
“The reality is that failures such as this and breaches involving certificates are becoming more frequent – not surprising, since the world is becoming encrypted. The impact though is completely unacceptable – you can’t have your site being untrusted or taken offline for days on end,” he said.
Revenue loss and reputational damage for the businesses affected will run into the millions of dollars, said Bocek.
“Businesses must have an automated back-up plan – they cannot be at the mercy of any one CA. These types of issues will continue to happen but, when they do, firms need to be able to take control and immediately and automatically change out affected certificates,” he said.