Summary: DigiCert is set to mass-revoke SSL/TLS certificates due to a bug in domain verification, affecting approximately 0.4% of validations conducted since August 2019. Customers are required to reissue their certificates within 24 hours to avoid service disruption.
Threat Actor: DigiCert | DigiCert
Victim: Affected Customers | affected customers
Key Point :
- DigiCert’s verification bug stemmed from a system update in August 2019 that omitted an underscore in domain validation.
- The oversight affects 83,267 certificates and 6,807 customers, necessitating urgent reissuance to maintain service continuity.
- To prevent future incidents, DigiCert has implemented several corrective measures, including embedding compliance team members in development processes.
DigiCert is warning that it will be mass-revoking SSL/TLS certificates due to a bug in how the company verified if a customer owned or operated a domain and requires impacted customers to reissue certificates within 24 hours.
It is unclear how many certificates will be revoked during this process, but the company says it affects approximately 0.4% of the applicable domain validations they have conducted between August 2019 and June 2024.
DigiCert is one of the prominent certificate authorities (CAs) that provides SSL/TLS certificates, including Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV) certificates.
These certificates are used to encrypt communication between a user and a website or application, increasing security against malicious network monitoring and man-in-the-middle attacks.
When issuing a certificate for a domain, a certificate authority must first perform Domain Control Verification (DCV) to confirm that the customer owns the domain.
One of the methods used to validate domain ownership is to add a string with a random value in the DNS CNAME record on the certificate and then perform a DNS lookup for the domain to ensure the random values match.
Per the CABF baseline requirements, a random value should be separated by the domain name with an underscore. Otherwise, there’s a risk of collision between a domain and a subdomain used for verification.
“Recently, we learned that we did not include the underscore prefix with the random value used in some CNAME-based validation cases,” explains DigiCert in the announcement.
“This impacted approximately 0.4% of the applicable domain validations we have in effect. Under strict CABF rules, certificates with an issue in their domain validation must be revoked within 24 hours, without exception.”
A five-year bug
DigiCert says the root cause was a system update in August 2019 that led to removing automatic underscore addition in some validation paths.
That oversight wasn’t caught until recently, so between August 2019 and June 2024, some validations were conducted without the underscore prefix.
On June 11, 2024, a user-experience enhancement project fixed the still undiscovered issue by consolidating the random value generation process.
Eventually, on July 29, DigiCert discovered the lack of the underscore on a small percentage of certificates while investigating a separate report about the generation of random values.
“Failing to include the underscore is considered a security risk because there is potential for a collision between an actual domain and the subdomain used for verification,” explained DigiCert.
“Although the chance of a collision is extremely low because the random value has at least 150 bits of entropy, there is still a chance.”
DigiCert has taken the following actions to prevent similar incidents from re-occurring:
- Reviewed and consolidated all random value generators.
- Simplified the user experience to eliminate the need for manual underscore addition.
- Embedded compliance team members in development sprints.
- Expanded test coverage for compliance-based scenarios.
- Plans to open-source DCV for community review by November 1, 2024.
Customers must now log in to their DigiCert CertCentral account to identify impacted certificates.
They are then required to generate a new Certificate Signing Request (CSR) for the domain, prompting DigiCert to perform another Domain Control Verification.
Once the certificate request has passed the DCV, customers can reissue certificates through the CertCentral portal and install them on their servers.
It should be noted that DigiCert will be revoking impacted certificates within 24 hours. If the process is not completed before then, it will lead to a loss of connectivity for the website or application.
BleepingComputer contacted DigiCert to ask how many certificates were impacted but has not received a response yet.
Update 7/31 – According to an update on the related Bugzilla report, the incident impacts 83,267 certificates and 6,807 customers.