{"id":3115,"date":"2018-03-05T12:40:05","date_gmt":"2018-03-05T19:40:05","guid":{"rendered":"https:\/\/zed.inguardians.com\/?p=3115"},"modified":"2019-08-19T13:40:35","modified_gmt":"2019-08-19T20:40:35","slug":"widespread-ssl-certificate-revocation-disrupting-internet-transport-encryption-with-further-disruption-planned-for-april-and-october","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/brief\/widespread-ssl-certificate-revocation-disrupting-internet-transport-encryption-with-further-disruption-planned-for-april-and-october\/","title":{"rendered":"Widespread SSL Certificate Revocation Disrupting Internet Transport Encryption with Further Disruption Planned for April and October"},"content":{"rendered":"<h5 class=\"et_pb_toggle_title\">\u00a0Widespread SSL Certificate Revocation Disrupting Internet Transport Encryption with Further Disruption Planned for April and October<\/h5>\n<div class=\"et_pb_toggle_content clearfix\">\n<div>\n<p>On Wednesday, Trustico (a Symantec reseller) triggered the revocation of roughly 23,000 SSL\/TLS certificates, in advance of April and October\u2019s certificate disruptions on any certificate sold under the brands Symantec, GeoTrust, Thawte, and RapidSSL.<\/p>\n<p>While the April deadline for Symantec, GeoTrust, Thawte and RapidSSL certificates looms, Trustico\u2019s method of revocation has caused further concern. Trustico wanted to move its customers from roughly 50,000 Symantec-provided certificates to new ones provided by Comodo. DigiCert, who had purchased Symantec\u2019s certificate business, initially refused, on the basis that it would only revoke so many certificates in the case of a security breach. Trustico\u2019s CEO then e-mailed 23,000 certificates\u2019 private keys without encryption to Digicert, thus creating a breach. The breach was compounded when a remote code execution vulnerability was found in Trustico\u2019s website.<\/p>\n<p>This situation calls into question Trustico\u2019s practices as a certificate reseller. First, certificate vendors should not retain private keys. Second, Trustico\u2019s choice to e-mail private keys put all communications using those keys at risk and may have failed to give customers the opportunity to replace the certificates before this risk window.<\/p>\n<p><strong>Impact<\/strong><br \/>\nAny organization using one of the revoked Trustico-resold Symantec SSL certificate has lost the integrity of HTTPS connections to any server using that certificate. Users will generally see an untrusted connection error immediately and many will understand that a problem exists. Further, any organization using a Symantec certificate, including those branded as GeoTrust, Thawte, and RapidSSL, will face a similar problem on April 17th or in October, at which point Google\u2019s Chrome and Mozilla\u2019s Firefox browsers will begin stating that the certificates are untrusted. See the schedule below (under \u201cRecommendations\u201d) for more detail.<\/p>\n<p><strong>Recommendations<\/strong><br \/>\nInGuardians strongly recommends that organizations audit their SSL\/TLS certificates, determining which have been provided by Symantec, GeoTrust, Thawte and RapidSSL. Staff should replace every certificate provided by these companies well before the following deadlines:<\/p>\n<p><strong>April 17th<\/strong>: Certificates issued before June 1, 2016, will not work with Chrome 66.<\/p>\n<p><strong>May<\/strong>: Certificates issued before June 1, 2016, will not work with Firefox 60.<\/p>\n<p><strong>October<\/strong>:\u00a0Certificates will no longer be trusted, as of Firefox 63.<\/p>\n<p><strong>October 23rd:\u00a0<\/strong>Certificates will no longer be trusted, as of Chrome 70.<\/p>\n<p>Organizations can use a number of tools to check their SSL\/TLS certificates, whether for their web servers or its other SSL\/TLS-enabled services. The popular open-source tool, nmap, will display information about the certificate enabled on one or more ports, like so:<\/p>\n<p><strong>nmap -v -sT -p 443 \u2013script=ssl-cert www.inguardians.com | egrep \u2018(Issuer|valid)\u2019<\/strong><br \/>\n| Issuer: commonName=GeoTrust RSA CA 2018\/organizationName=DigiCert Inc\/countryName=US\/organizationalUnitName=www.digicert.com<br \/>\n| Not valid before: 2018-01-25T00:00:00<br \/>\n| Not valid after: \u00a02019-02-24T12:00:00<\/p>\n<\/div>\n<div>\n<p>Organizations should be careful to check all ports on a system, and not just the standard service ports for SSL\/TLS.<strong>Additional Resources<\/strong><br \/>\nGoogle: \u201cChrome\u2019s Plan to Distrust Symantec Certificates\u201d<br \/>\nhttps:\/\/security.googleblog.com\/2017\/09\/chromes-plan-to-distrust-symantec.html<\/p>\n<p>Mozilla: \u201cCA:Symantec Issues\u201d<br \/>\nhttps:\/\/wiki.mozilla.org\/CA:Symantec_Issues<\/p>\n<p>DigiCert: \u201cHow do you handle mass revocation requests?\u201d<br \/>\nhttps:\/\/groups.google.com\/forum\/#!msg\/mozilla.dev.security.policy\/wxX4Yv0E3Mk\/QZt8UPhKAwAJ<\/p>\n<p>Trustico\u00ae Abandons Symantec\u00ae SSL Certificates<br \/>\nhttps:\/\/www.trustico.com\/news\/2018\/abandons\/trustico-abandons-symantec.php<\/p>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0Widespread SSL Certificate Revocation Disrupting Internet Transport Encryption with Further Disruption Planned for April and October On Wednesday, Trustico (a Symantec reseller) triggered the revocation of roughly 23,000 SSL\/TLS certificates, in advance of April and October\u2019s certificate disruptions on any certificate sold under the brands Symantec, GeoTrust, Thawte, and RapidSSL. While the April deadline for [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[169],"tags":[157,135,128,156],"_links":{"self":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3115"}],"collection":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/comments?post=3115"}],"version-history":[{"count":1,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3115\/revisions"}],"predecessor-version":[{"id":3116,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3115\/revisions\/3116"}],"wp:attachment":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/media?parent=3115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/categories?post=3115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/tags?post=3115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}