Widespread SSL Certificate Revocation Disrupting Internet Transport Encryption with Further Disruption Planned for April and October

On Wednesday, Trustico (a Symantec reseller) triggered the revocation of roughly 23,000 SSL/TLS certificates, in advance of April and October’s certificate disruptions on any certificate sold under the brands Symantec, GeoTrust, Thawte, and RapidSSL.

While the April deadline for Symantec, GeoTrust, Thawte and RapidSSL certificates looms, Trustico’s method of revocation has caused further concern. Trustico wanted to move its customers from roughly 50,000 Symantec-provided certificates to new ones provided by Comodo. DigiCert, who had purchased Symantec’s certificate business, initially refused, on the basis that it would only revoke so many certificates in the case of a security breach. Trustico’s CEO then e-mailed 23,000 certificates’ private keys without encryption to Digicert, thus creating a breach. The breach was compounded when a remote code execution vulnerability was found in Trustico’s website.

This situation calls into question Trustico’s practices as a certificate reseller. First, certificate vendors should not retain private keys. Second, Trustico’s choice to e-mail private keys put all communications using those keys at risk and may have failed to give customers the opportunity to replace the certificates before this risk window.

Impact
Any organization using one of the revoked Trustico-resold Symantec SSL certificate has lost the integrity of HTTPS connections to any server using that certificate. Users will generally see an untrusted connection error immediately and many will understand that a problem exists. Further, any organization using a Symantec certificate, including those branded as GeoTrust, Thawte, and RapidSSL, will face a similar problem on April 17th or in October, at which point Google’s Chrome and Mozilla’s Firefox browsers will begin stating that the certificates are untrusted. See the schedule below (under “Recommendations”) for more detail.

Recommendations
InGuardians strongly recommends that organizations audit their SSL/TLS certificates, determining which have been provided by Symantec, GeoTrust, Thawte and RapidSSL. Staff should replace every certificate provided by these companies well before the following deadlines:

April 17th: Certificates issued before June 1, 2016, will not work with Chrome 66.

May: Certificates issued before June 1, 2016, will not work with Firefox 60.

October: Certificates will no longer be trusted, as of Firefox 63.

October 23rd: Certificates will no longer be trusted, as of Chrome 70.

Organizations can use a number of tools to check their SSL/TLS certificates, whether for their web servers or its other SSL/TLS-enabled services. The popular open-source tool, nmap, will display information about the certificate enabled on one or more ports, like so:

nmap -v -sT -p 443 –script=ssl-cert www.inguardians.com | egrep ‘(Issuer|valid)’
| Issuer: commonName=GeoTrust RSA CA 2018/organizationName=DigiCert Inc/countryName=US/organizationalUnitName=www.digicert.com
| Not valid before: 2018-01-25T00:00:00
| Not valid after:  2019-02-24T12:00:00

Organizations should be careful to check all ports on a system, and not just the standard service ports for SSL/TLS.Additional Resources
Google: “Chrome’s Plan to Distrust Symantec Certificates”
https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html

Mozilla: “CA:Symantec Issues”
https://wiki.mozilla.org/CA:Symantec_Issues

DigiCert: “How do you handle mass revocation requests?”
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/wxX4Yv0E3Mk/QZt8UPhKAwAJ

Trustico® Abandons Symantec® SSL Certificates
https://www.trustico.com/news/2018/abandons/trustico-abandons-symantec.php