In a recent development that could potentially impact website administrators, DigiCert, a prominent digital certificate provider, has made the decision to revoke thousands of SSL certificates due to a technical error in the company’s domain validation process. This critical issue in DigiCert’s Domain Control Validation (DCV) process affected approximately 0.4 per cent of the certificates issued by the company. The error was identified as a missing underscore character that should be included with a random value used during verification, as stated in a released by DigiCert.
Before issuing an SSL certificate, DigiCert needs to confirm the ownership of the domain name by the applicant through a process called Domain Control Verification (DCV). One method utilized for DCV involves adding a specific record to the domain’s DNS settings containing a random value from DigiCert. By verifying the presence of this random value, DigiCert can validate the applicant’s control over the domain. One of the approaches to adding this record requires the random value to be prefixed with an underscore character to prevent potential clashes with subdomain names. The absence of this underscore is considered a security risk under the guidelines set by the CA/Browser Forum (CABF).
DigiCert recently discovered that their system was not consistently adding the underscore prefix to the random value in all CNAME-based DCV scenarios, resulting in the issuance of certificates based on incomplete validation processes. This violation of CABF requirements necessitates the revocation of all affected certificates within 24 hours to uphold trust and compliance. The proactive response from DigiCert contrasts with compliance failures noted in Google’s decision to distrust certificates issued by Entrust.
The origin of the error can be traced back to a system upgrade implemented by DigiCert in August 2019. While the new system streamlined the validation process, the code responsible for adding the underscore prefix was inadvertently omitted. This led to inconsistencies in validation paths, with some including the underscore and others not.
DigiCert estimates that around 0.4% of their active domain validations are impacted by this error. Affected customers have been notified and have a limited timeframe of 24 hours to replace their revoked certificates. The company has provided instructions on how to reissue certificates within their CertCentral platform, emphasizing the importance of replacing revoked certificates promptly to restore secure communication on web servers.
Moving forward, DigiCert is taking steps to prevent similar incidents in the future. These measures include consolidating random value generators to ensure consistent prefix addition, simplifying the user experience across all DCV methods, embedding compliance teams within development teams, expanding testing procedures for compliance checks, and open-sourcing the DCV process for community review and enhancement.
While the risk of a security breach due to the missing underscore is minimal, this incident underscores the significance of stringent domain validation procedures. Website owners are reminded to stay vigilant to security alerts from their certificate authorities and act promptly on certificate revocation notices. By maintaining up-to-date SSL certificates and adhering to best practices, a secure and trustworthy online experience can be ensured for website visitors.