Telekom Security: Revocation delay for TLS certificates
Telekom Security experienced a delay in revoking TLS certificates, affecting 336 certificates due to basicConstraints not marked as critical. Efforts were made to prompt customers for replacement within 5 days. Lessons included the need for customer sensitization and faster certificate replacement procedures. Automation via protocols like ACME was considered for future processes. Stakeholders questioned the delay, but Telekom Security defended its decision based on low security risk and impact on critical infrastructures. The incident underscored challenges faced by CAs in ensuring timely revocation and the importance of continuous improvement for industry standards and trust.
Read original article
Telekom Security faced a revocation delay for TLS certificates with basicConstraints not marked as critical, affecting 336 certificates. The issue stemmed from enterprise customers using these certificates in critical infrastructures. Despite efforts to prompt customers to replace and revoke the affected certificates within 5 days, not all were able to do so due to the complexity of their infrastructures. Telekom Security communicated with customers through various means, including emails, phone calls, and video conferences, to ensure compliance. Lessons learned included the need for customer sensitization and preparation for faster certificate replacement procedures. Automation via protocols like ACME was considered for future issuance processes. While some stakeholders questioned the delay in revocation, Telekom Security defended its decision based on the perceived low security risk and the potential impact on critical infrastructures. The incident highlighted the challenges CAs face in ensuring timely revocation and the importance of continuous improvement to meet industry standards and maintain trust.
Related
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Chrome will distrust CA certificates from Entrust later this year
Google will stop trusting Entrust CA certificates from November 1, citing compliance failures. Websites using Entrust certs, like moneygram.com and ey.com, must switch to a new CA to avoid security warnings. Enterprise customers can still trust Entrust.
Entrust certificates will not be trusted in Chrome 127+
The Chrome Root Program Policy is updating trust for Entrust CAs due to compliance issues. Entrust must show improvement to maintain trust. Chrome will oversee changes to safeguard users and the web.
Who Owns Your Wireless Service? Crooks Do. (2019)
Cybercriminals exploit wireless carriers' vulnerabilities, compromising security. Incidents include data breaches and SIM-swapping attacks. Industry lacks control, regulators struggle. Efforts like SHAKEN/STIR in place, but challenges persist. AT&T developing solutions. Lack of privacy laws leaves consumers vulnerable.
Letsencrypt Supports Wildcard Certificates
Let's Encrypt offers free SSL/TLS certificates for secure HTTPS connections, relying on donations. They issue Domain Validation and SAN certificates, recommend reporting malicious activities, and emphasize TLS/SSL security.
1 commentsRelated
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Chrome will distrust CA certificates from Entrust later this year
Google will stop trusting Entrust CA certificates from November 1, citing compliance failures. Websites using Entrust certs, like moneygram.com and ey.com, must switch to a new CA to avoid security warnings. Enterprise customers can still trust Entrust.
Entrust certificates will not be trusted in Chrome 127+
The Chrome Root Program Policy is updating trust for Entrust CAs due to compliance issues. Entrust must show improvement to maintain trust. Chrome will oversee changes to safeguard users and the web.
Who Owns Your Wireless Service? Crooks Do. (2019)
Cybercriminals exploit wireless carriers' vulnerabilities, compromising security. Incidents include data breaches and SIM-swapping attacks. Industry lacks control, regulators struggle. Efforts like SHAKEN/STIR in place, but challenges persist. AT&T developing solutions. Lack of privacy laws leaves consumers vulnerable.
Letsencrypt Supports Wildcard Certificates
Let's Encrypt offers free SSL/TLS certificates for secure HTTPS connections, relying on donations. They issue Domain Validation and SAN certificates, recommend reporting malicious activities, and emphasize TLS/SSL security.