igor - Fotolia
In the course of what it described as "a revocation exercise which should have been 'business as usual'" for major certificate authority GMO GlobalSign, users around the world experienced difficulties accessing websites that rely on certificates from the identity services company. Users encountered browser certificate security errors and in some cases were blocked from those sites signed with GlobalSign certificates.
GlobalSign, which manages several root certificates, also provides cross-certificates between those root certificates so they can be most effectively used on a variety of platforms, according to the company's webpage on the incident. In an effort to remove some of those links, GlobalSign issued a certificate revocation list which GlobalSign's Online Certificate Status Protocol (OCSP) server misinterpreted as calling for revocation of all downstream certificates. Once the error in the handling of the certificate revocation list became apparent, GlobalSign removed the offending cross-certificate from the OCSP database and cleared all its caches, but it may take days before server and browser caches around the internet are all updated.
"The problem will correct itself in four days as the cached responses expire, which we know is not ideal," GlobalSign stated in its notification to customers. "However, in the meantime, GlobalSign will be providing an alternative issuing [certificate authority] for customers to use instead, issued by a different root which was not affected by the cross that was revoked, but offering the same ubiquity and does not require ... [a] reissue [of] the certificate itself."
UK-based blogger and professional software developer, Infosec Guy explained in a blog post: "Yesterday, GlobalSign performed some internal maintenance and inadvertently revoked their intermediary security certificates while updating a special cross-certificate. This broke the chain of trust and ultimately nullified security certificates issued by GlobalSign to its customers."
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told SearchSecurity by email: "It's hard to know how many companies have been impacted, but with GlobalSign boasting over 25 million certificates relying on the public trust of the GlobalSign root CA certificate, the impact is undoubtedly significant."
Infosec Guy noted that "[c]ertificates issued by certificate authorities are 'cached' around the world, so for many users (who held a cached certificate from before GlobalSign made their mistake) there were no immediate issues, however, for others when they tried to access their favorite websites including Wikipedia, The Times, and more, these returned rather worrying errors about a certificate being revoked."
This is not the first disruption experienced by GlobalSign. In 2011, a hacker who breached the DigiNotar CA earlier that year claimed to have attacked GlobalSign as well, but the hack was only of a web server isolated from GlobalSign's CA infrastructure and no evidence was found of any intrusion on the certificate authority infrastructure.
Find out more about public key infrastructure and digital certificates.
Learn about the benefits of automating security certificate backup.
Read about why cross-certificates have caused Android devices to crash.