Health industry company sues to prevent certificate revocation
Alegeus Technologies has sued DigiCert to prevent the revocation of security certificates due to a flaw in validation. A Temporary Restraining Order has been granted, complicating compliance and raising security concerns.
Read original article
Alegeus Technologies, a healthcare funding and payment platform provider, has filed a lawsuit against DigiCert, a major certificate authority (CA), to prevent the revocation of its security certificates. DigiCert identified a flaw in its domain control validation process, which could have allowed unauthorized certificate issuance. As a result, DigiCert is required to revoke affected certificates within 24 hours, as mandated by the CA/Browser Forum's Baseline Requirements. Alegeus has requested a Temporary Restraining Order (TRO) to halt this revocation, arguing that it needs more time to coordinate with its numerous clients, as its contracts stipulate longer notice periods for certificate changes. The TRO has been granted, complicating DigiCert's obligation to revoke the certificates while also avoiding potential legal repercussions for non-compliance. Alegeus's legal filing suggests a misunderstanding of the revocation requirements, as it incorrectly attributes the revocation obligation to the Certification Authority Browser Forum bylaws rather than the Baseline Requirements. The situation raises concerns about the security implications of delayed certificate revocation, as compromised certificates must be addressed swiftly to maintain trust in the WebPKI ecosystem. The case highlights the tension between contractual obligations and security needs, emphasizing the importance of automated certificate management to respond effectively to revocation events. As the legal proceedings unfold, the outcome may prompt changes in how CAs and organizations manage certificate lifecycles and contractual agreements.
Related
Entrust certificates will not be trusted in Chrome 127+
The Chrome Root Program Policy is updating trust for Entrust CAs due to compliance issues. Entrust must show improvement to maintain trust. Chrome will oversee changes to safeguard users and the web.
Telekom Security: Revocation delay for TLS certificates
Telekom Security experienced a delay in revoking TLS certificates, affecting 336 certificates due to basicConstraints not marked as critical. Efforts were made to prompt customers for replacement within 5 days. Lessons included the need for customer sensitization and faster certificate replacement procedures. Automation via protocols like ACME was considered for future processes. Stakeholders questioned the delay, but Telekom Security defended its decision based on low security risk and impact on critical infrastructures. The incident underscored challenges faced by CAs in ensuring timely revocation and the importance of continuous improvement for industry standards and trust.
Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months
Telekom Security faced delays in revoking TLS certificates, impacting critical infrastructures. Efforts were made to replace 336 certificates within 5 days, highlighting the need for faster procedures and customer sensitization. Mozilla raised concerns about the response, emphasizing the importance of compliance with industry standards.
All I Know About Certificates – Certificate Authority
The article highlights the critical role of certificates in the TLS handshake for website identity verification, emphasizing trusted Certificate Authorities' responsibilities and the impact of free certificates from Let’s Encrypt.
DigiCert Revocation Incident (CNAME Domain Validation)
DigiCert reported a certificate revocation incident affecting 0.4% of domain validations due to improper Domain Control Verification. Customers must replace affected certificates promptly and follow reissue procedures.
11 commentsIt seems obvious enough how this would come about:
1. The healthcare company knows better than to do a Crowdstrike, where "just a configuration change" is rushed out with inadequate testing, for "security". As even a configuration change could trigger a latent bug, they agree configuration changes should be rolled out gradually, and not applied during clients' peak operating hours.
2. The healthcare company could have used "Let's Encrypt" to get certificates for free, if they wanted short-term certificates. But instead they paid $$$$ to DigiCert for certificates with a 12 month duration.
3. Even if Alegeus had read the small print saying mis-issued certificates can be revoked with only 24 hours of notice - they quite reasonably assumed DigiCert would have controls in place to avoid mis-issued certificates. Hasn't DigiCert told the browser vendors precisely that?
2. It's also true that there are rules, they exist for a reason, these Alegeus guys aren't special, and dragging this stuff into the courts is antisocial in the extreme. So it wouldn't be unreasonable for browsers to, say, explicitly blacklist their domains for as long as there conceivably might be noncompliant certs out there.
1. Alegeus creates white-labeled sites for their customers, but those sites are hosted on customer domains (usually for ease of sharing login cookies across subdomains on the customer), e.g. alegeus.customerdomain.com.
2. So the issue isn't necessarily that Alegeus can't update their systems, it's that their many customers can't update their DNS records fast enough to point to the new certs.
IMO, if you built a system (and I'm talking about DigiCert here) that expects thousands of customers can update everything at the drop of a hat to update their code, you built a bad system. I don't think it's too different from CrowdStrike, except it's as if CrowdStrike gave 24 hours notice instead, saying "Hey, all of our customers, just a heads up we're going to break all your machines in 24 hours, you really should have planned better if you can't handle that."
Alegeus is the one suing here because they've got tons of customers, but make no mistake this would cause outtages for tons of other companies that use DigiCert.
Does that revocation requirement actually apply to these particular certificates?
If I've understood the problem it is that DigiCert was issuing challenge keys for DNS based validation that did not start with the required underscore.
The underscore is required to prevent an attack that only works against sites that allow users to create subdomains.
The particular sites of the plaintiff's clients are not such sites and so has the CA actually obtained "evidence that the validation [...] should not be relied upon"?
DigiCert's blog post…
DigiCert Revocation Incident (CNAME Domain Validation) (digicert.com) — https://news.ycombinator.com/item?id=41104504 — 136 points by vitaliyf 1 day ago
… and the Bugzilla entry where DigiCert reported this to Mozilla:
Digicert pauses mass certificate revocation due to legal action from customer (bugzilla.mozilla.org) — https://news.ycombinator.com/item?id=41114794 — 9 points by frakkingcylons 23 hours ago
Edit:
> Therefore, this is truly a security-critical incident, as there is a real risk (not a negligible 2^-150 risk as implied by DigiCert) that this flaw could have been exploited to get unauthorized certificates. Revocation of the improperly validated certificates is security-critical.
Yeah... have they proven that this wasn't exploited? With 83,000 certificates getting revoked this isn't a small scale mistake.
IANAL.
> DigiCert knew or should have known about its failure to properly complete the Security Certificates for Alegeus weeks ago.
'You should have known there were bugs in your code!'
> DigiCert is a voluntary member of the Certification Authority Browser Forum (CABF), which has bylaws stating that certificates with an issue in their domain validation must be revoked within 24 hours
"voluntary" is technically correct, I suppose. But let's assume they'd like to be a CA?
But then we go
> despite that DigiCert has arbitrarily chosen this less than 24-hour window
It wasn't arbitrary, it was a requirement, as the complaint itself pointed out…
> Alegeus has hundreds of such Clients. Alegeus is generally required by contract to give its clients much longer than 24 hours’ notice before executing such a change regarding certification.
Yet another example of that nobody ever thinks about cert rotation, ever.
> Consequently, due to the errors and delays of DigiCert alone, Alegeus cannot practically make all the required changes
Yeah, no, your error was not having a process to account for this in place.
The TRO also states,
> The threatened injury to Alegeus outweighs any injury DigiCert might suffer under the injunction.
Well, if DigiCert is removed as a CA because they've violated the CA/B BRs (at least, AIUI, they have) — that could be a pretty big injury. They're probably too big to fail, and "we tried but we had a TRO" is a pretty good excuse.
The TRO is scoped to only their certs, and only for 7 days (barring further orders), so it's at least pretty minimal? So I suppose DigiCert could revoke the rest.
Related
Entrust certificates will not be trusted in Chrome 127+
The Chrome Root Program Policy is updating trust for Entrust CAs due to compliance issues. Entrust must show improvement to maintain trust. Chrome will oversee changes to safeguard users and the web.
Telekom Security: Revocation delay for TLS certificates
Telekom Security experienced a delay in revoking TLS certificates, affecting 336 certificates due to basicConstraints not marked as critical. Efforts were made to prompt customers for replacement within 5 days. Lessons included the need for customer sensitization and faster certificate replacement procedures. Automation via protocols like ACME was considered for future processes. Stakeholders questioned the delay, but Telekom Security defended its decision based on low security risk and impact on critical infrastructures. The incident underscored challenges faced by CAs in ensuring timely revocation and the importance of continuous improvement for industry standards and trust.
Deutsche Telekom issued invalid certificates, hasn't revoked them since 6 months
Telekom Security faced delays in revoking TLS certificates, impacting critical infrastructures. Efforts were made to replace 336 certificates within 5 days, highlighting the need for faster procedures and customer sensitization. Mozilla raised concerns about the response, emphasizing the importance of compliance with industry standards.
All I Know About Certificates – Certificate Authority
The article highlights the critical role of certificates in the TLS handshake for website identity verification, emphasizing trusted Certificate Authorities' responsibilities and the impact of free certificates from Let’s Encrypt.
DigiCert Revocation Incident (CNAME Domain Validation)
DigiCert reported a certificate revocation incident affecting 0.4% of domain validations due to improper Domain Control Verification. Customers must replace affected certificates promptly and follow reissue procedures.