Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months
Telekom Security faced delays in revoking TLS certificates, impacting critical infrastructures. Efforts were made to replace 336 certificates within 5 days, highlighting the need for faster procedures and customer sensitization. Mozilla raised concerns about the response, emphasizing the importance of compliance with industry standards.
Read original article
Telekom Security faced a delay in revoking TLS certificates with basicConstraints not marked as critical, as required by BR section 4.9.1.1#12. 336 certificates were not revoked within the 5-day period, impacting critical infrastructures. Efforts were made to contact affected customers for certificate replacement. The delay was due to necessary changes in customers' infrastructures and the potential impact on continuity. Lessons learned included the need for customer sensitization and faster replacement procedures. Automation plans for certificate issuance were discussed to prevent similar incidents. Mozilla raised concerns about the response not meeting expectations for revocation incidents. The root cause analysis highlighted challenges in replacing certificates promptly. The incident prompted discussions on CA responsibilities and enforcement of revocation requirements by root programs. The incident underscored the importance of timely revocation and compliance with industry standards to maintain trust in certificate authorities.
Related
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Chrome will distrust CA certificates from Entrust later this year
Google will stop trusting Entrust CA certificates from November 1, citing compliance failures. Websites using Entrust certs, like moneygram.com and ey.com, must switch to a new CA to avoid security warnings. Enterprise customers can still trust Entrust.
Entrust certificates will not be trusted in Chrome 127+
The Chrome Root Program Policy is updating trust for Entrust CAs due to compliance issues. Entrust must show improvement to maintain trust. Chrome will oversee changes to safeguard users and the web.
Cloudflare 1.1.1.1 incident on June 27, 2024
Cloudflare faced a global incident on June 27, 2024, with its 1.1.1.1 DNS resolver due to BGP hijacking and a route leak. Despite affecting some users, Cloudflare responded by disabling peering locations and engaging with network operators to resolve the issue.
Telekom Security: Revocation delay for TLS certificates
Telekom Security experienced a delay in revoking TLS certificates, affecting 336 certificates due to basicConstraints not marked as critical. Efforts were made to prompt customers for replacement within 5 days. Lessons included the need for customer sensitization and faster certificate replacement procedures. Automation via protocols like ACME was considered for future processes. Stakeholders questioned the delay, but Telekom Security defended its decision based on low security risk and impact on critical infrastructures. The incident underscored challenges faced by CAs in ensuring timely revocation and the importance of continuous improvement for industry standards and trust.
5 comments> 2024-01-22 > 08:25 The error message “ERROR: basicConstraints MAY appear in the certificate, and when it is included MUST be marked as critical “ in crt.sh was found in our weekly checks
> 2024-02-05 > 13:00 Videoconference with the management of the Trust Center with the decision, to revoke all certificates that have not yet been revoked the next day > 13:25 Information to customers about the final revocation of all certificates the next day
> 2024-06-02 > 15:41 All affected certificates are replaced and revoked.
Given the comment was posted 2024-02-09, the last date is probably a typo of 2024-02-06, aka within 16 days.
I know that in the US, ISP-wise, mostly Comcast has a bad reputation, but in the EU and from a business perspective, Deutsche Telekom is also not, eh, universally liked...
- they didn't make any mistake in delaying the revocation,
- they should be able (given enough insistence from their customers) to do so again at their own discretion in the future, and
- their inadequate handling of the incident and their apparent laissez-faire approach to the requirements for a CA should be accepted and deemed satisfactory by everyone else.
So first they don't produce any explaination, then they are on summer vacation? Truly WTF? If anything Deutsche Telekom has demonstrated that they are not deserving of the trust given.
Related
Sustaining Digital Certificate Security – Entrust Certificate Distrust
Google's Chrome Security Team distrusts specific Entrust certificates due to reliability concerns. Chrome 127 onwards won't trust certain Entrust TLS server authentication certificates dated after October 31, 2024. Website operators should review certificates for compliance.
Chrome will distrust CA certificates from Entrust later this year
Google will stop trusting Entrust CA certificates from November 1, citing compliance failures. Websites using Entrust certs, like moneygram.com and ey.com, must switch to a new CA to avoid security warnings. Enterprise customers can still trust Entrust.
Entrust certificates will not be trusted in Chrome 127+
The Chrome Root Program Policy is updating trust for Entrust CAs due to compliance issues. Entrust must show improvement to maintain trust. Chrome will oversee changes to safeguard users and the web.
Cloudflare 1.1.1.1 incident on June 27, 2024
Cloudflare faced a global incident on June 27, 2024, with its 1.1.1.1 DNS resolver due to BGP hijacking and a route leak. Despite affecting some users, Cloudflare responded by disabling peering locations and engaging with network operators to resolve the issue.
Telekom Security: Revocation delay for TLS certificates
Telekom Security experienced a delay in revoking TLS certificates, affecting 336 certificates due to basicConstraints not marked as critical. Efforts were made to prompt customers for replacement within 5 days. Lessons included the need for customer sensitization and faster certificate replacement procedures. Automation via protocols like ACME was considered for future processes. Stakeholders questioned the delay, but Telekom Security defended its decision based on low security risk and impact on critical infrastructures. The incident underscored challenges faced by CAs in ensuring timely revocation and the importance of continuous improvement for industry standards and trust.