Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
The next 24 hours will be fateful for a million websites.
DigiCert, one of the leading certificate authorities providing SSL/TLS certificates, including Domain Validated (DV), Organization Validated (OV) and Extended Validation (EV), has announced a massive revocation of SSL/TLS certificates due to an error in domain verification. As a result of this error, which affects approximately 0.4% of all domain checks conducted by the company from August 2019 to June 2024, customers must re-issue certificates within 24 hours.
DigiCert reports that the problem was caused by an error in the domain verification process. When issuing certificates, the company had to verify that the domain belongs to the client, using the method of verification through DNS records. This method involved adding a random value to the DNS CNAME record and performing a DNS query to confirm that the values match.
CABF requires that the random value be separated by an underscore to prevent collisions between the domain and subdomain. However, as it turned out, in some cases the underscore was not added. "This affected approximately 0.4% of domain checks conducted from August 2019 to June 2024. According to strict CABF rules, certificates with errors in domain verification must be revoked within 24 hours without exceptions," DigiCert explained.
The error occurred due to a system update in August 2019, which removed the automatic addition of underscores in some validation paths. The problem went unnoticed until June 2024, when the user Interface Improvement project fixed random value generation.
The company has taken steps to prevent such incidents from happening again: it has revised and consolidated its random value generators, simplified the user interface, increased test coverage for compliance-based scenarios, and plans to open the DCV source code for public review by November 1, 2024.
Customers need to log in to their DigiCert CertCentral account to identify affected certificates. Then you need to create a new Certificate Signing request (CSR) for the domain, pass domain verification, and reissue the certificates through the CertCentral portal.
If the process is not completed within 24 hours, it will result in a lost connection for the site or app. The question of the number of affected certificates remains open, as DigiCert has not yet commented on this issue.
Source
DigiCert, one of the leading certificate authorities providing SSL/TLS certificates, including Domain Validated (DV), Organization Validated (OV) and Extended Validation (EV), has announced a massive revocation of SSL/TLS certificates due to an error in domain verification. As a result of this error, which affects approximately 0.4% of all domain checks conducted by the company from August 2019 to June 2024, customers must re-issue certificates within 24 hours.
DigiCert reports that the problem was caused by an error in the domain verification process. When issuing certificates, the company had to verify that the domain belongs to the client, using the method of verification through DNS records. This method involved adding a random value to the DNS CNAME record and performing a DNS query to confirm that the values match.
CABF requires that the random value be separated by an underscore to prevent collisions between the domain and subdomain. However, as it turned out, in some cases the underscore was not added. "This affected approximately 0.4% of domain checks conducted from August 2019 to June 2024. According to strict CABF rules, certificates with errors in domain verification must be revoked within 24 hours without exceptions," DigiCert explained.
The error occurred due to a system update in August 2019, which removed the automatic addition of underscores in some validation paths. The problem went unnoticed until June 2024, when the user Interface Improvement project fixed random value generation.
The company has taken steps to prevent such incidents from happening again: it has revised and consolidated its random value generators, simplified the user interface, increased test coverage for compliance-based scenarios, and plans to open the DCV source code for public review by November 1, 2024.
Customers need to log in to their DigiCert CertCentral account to identify affected certificates. Then you need to create a new Certificate Signing request (CSR) for the domain, pass domain verification, and reissue the certificates through the CertCentral portal.
If the process is not completed within 24 hours, it will result in a lost connection for the site or app. The question of the number of affected certificates remains open, as DigiCert has not yet commented on this issue.
Source
