d3soteric

The Security Intern: Mass Certificate Revocation

Dennis Taggart -
Just as IT organizations around the world began to believe in life after critical-path-security-product-outages, to loosely quote Cher, the satirical security intern appears again

Intern-al Monologue: This time will be different! I'm going to start out making a difference in my new career at the certificate authority. I'll make my career on my latest finding. First day after transitioning from my last job on account of that little global outage and wow, a brand new totally crazy flaw for me to report! This has been around for YEARS!!! There are thousands of websites out of compliance with CABF Guidelines section 3.2.2.4.7 which obviously require domain labels used for validation to be prefixed with an "_" character! hat have <24 hours to update their TLS certs, or, they get to have an invalid cert errors OUTAGE!

*runs it up the flagpole

Management: Wow! with a finding like this, youre really going to make a name for m.…yourself, lets fix this!

*runs it up the flagpole

Marketing Team: We are very responsible at our CA, we can’t let you, our valued customers down, so you have to resolve the above mentioned problem by minting and installing new certificates within 8 hours.

Valued Customers just Waking in the Morning: Wait, 8 hours, really?

Marketing: Yes, since 24 hours started 16 hours ago when they discovered and reported the issue, aaand since last time something like this happened, the CABF totally revoked the offending CA from the trusted browser store, anyway our hands are tied and you now have 7 hours and 45 minutes.?

Valued Customers: scramble to address the issue.

CABF: hey we heard about what happened and we’d totally grant an exception here, it is a pretty pedantic issue, touches on non-issue status really, and you’ve been a trustworthy partner over the years, we get it, we think a little flexibility here would be good for everyone.

CABF chuckling: I mean seriously, you manage like, millions of certificates, how many of these couple thousand actually have a domain name overlap with a 31 alphanumeric random txt validation string?

Marketing: .. chuckles along … hey valued customers, you totally only had 3 minutes left, but due to our close relationship with the CABF and our stellar record (we are awesome) and anyway as a bonus you totally didn’t don’t need to do anything for 4 days because CABF rocks (and so do we!).

Valued Customers Who Just Spent 7 hours and 57 Minutes Scrambling: ...