The DigiCert drama has escalated, with new information revealing the extensive impact of the company’s SSL/TLS certificate revocation sweep. Jeremy Rowley, DigiCert’s CISO, has confirmed that tens of thousands of customers are affected, with some warning that the short notice could have significant real-world implications and disrupt critical services.
The Root of the Problem
On July 29, DigiCert announced that due to a five-year-old programming flaw in its systems, some customers had just 24 hours to replace their previously issued security certificates. The issue stems from broken domain ownership validation, involving random numbers and underscores, which resulted in a selection of issued certificates being deemed untrustworthy.
According to DigiCert, approximately 0.4 percent of the applicable domain validations were affected. While this percentage may seem small, it translates to many certificates and customers.
Scale of the Impact
A Mozilla Bugzilla post shed light on the true scale of the problem. Rowley stated, “We have identified 83,267 certs impacting 6,807 subscribers. We are planning to begin revoking within the 24-hour time window.”
However, many customers have expressed concerns about the rapid turnaround time, with some even filing lawsuits to block the certificate revocation.
Critical Infrastructure at Risk
Rowley acknowledged the challenges faced by many organizations:
“Unfortunately, many other customers operating critical infrastructure, vital telecommunications networks, cloud services, and healthcare industries cannot be revoked without critical service interruptions. While we have deployed automation with several willing customers, the reality is that many large organizations cannot reissue and deploy new certificates everywhere in time.”
Industry Discussions and Exceptional Circumstances
The incident has sparked discussions about the practicality of the 24-hour revocation requirements set by the CA/Browser Forum. DigiCert is actively participating in these conversations and seeking feedback from root stores about potential “exceptional circumstances” that might allow for delayed revocation.
Extended Deadlines and Customer Communication
In response to customer concerns, DigiCert has offered some flexibility for those facing exceptional circumstances. An email sent to affected customers outlined the process for requesting additional time:
- Customers needed to email the company by July 31, 2024, at 1930 UTC.
- They were required to provide a detailed explanation of their circumstances.
- Even with approved delays, all affected certificates will be revoked no later than August 3, 2024, at 1930 UTC.
Real-World Impact on Organizations
One affected customer, who wished to remain anonymous, shared their experience with The Register:
“They told us via email on Monday, July 29 that we had until July 30 to swap out all the certificates before they were revoked. It took 15 people 20 hours to touch everything. Good thing we noticed the email right away or it would have crushed us.”
The customer emphasized that for some organizations, including theirs, revoking certificates with such short notice can pose risks to life and safety systems. They argued that not every certificate update can be automated, and not all organizations can manually replace their certificates within 24 hours.
Calls for Flexibility in Certificate Management
The incident has highlighted the need for a more nuanced approach to certificate management and revocation. The affected customer suggested:
“Each incident of this scale should be evaluated on a case-by-case basis, rather than adhering to the one-size-fits-all 24-hour mandate set by the CA/Browser Forum.”
As thousands of organizations scramble to adhere to the 24-hour rule and ensure secure internet communications, this incident is likely to fuel further discussions about certificate management practices and industry standards.
